3 API Protocol Types: Their Differences and When To Use Each
Since 2015, the average number of SaaS apps in use by an organization has exploded from eight to over 100.
APIs are instrumental in getting these apps to talk to each other within a connected, integrated infrastructure. An API (Application Programming Interface) is a structured method by which apps communicate.
But, not all APIs are made equal.
There are four major types of web API, which commonly use three types of API protocols. Each of these API protocols varies in responsiveness and levels of integration — and knowing which API protocol to use is essential to modern, responsive, real-time development.
Types of Web APIs
APIs provide a communication layer between the application with the API and external applications, data sources, and infrastructure. Essentially, an API is how an application communicates with other applications.
Not all APIs are web APIs. Web APIs are designed around web connectivity — generally, with a web-based platform. Up until fairly recently, web APIs were used primarily for payment processing. But the widespread proliferation of SaaS has made web APIs extraordinarily important for connectivity and communication in enterprise-grade apps.
Open APIs are APIs available to the public. They aren't the best regarding security — just because "public" means expanded visibility — but sharing data with them is easier. Open APIs frequently support multiple API protocol types. Examples of open APIs include navigation or weather systems.
You should use an open API to encourage other application developers to connect with your system. Say you're developing a new navigation system — you should use an open API because you want other people to use your GPS information in their apps, and you want apps to report data to you (such as traffic jams). If you're developing a new enterprise SaaS suite, you might also want to release open APIs to encourage third-party developers to build around your ecosystem.
Open APIs may also be called "public APIs." And they don't have to be inherently less secure; the methods used to connect with them are simply more available.
Internal APIs are used within an organization. Frequently, these are solutions provisioned within the organization to make internal apps "talk" to each other. These solutions tend to be very secure, as they are entirely internal. An internal API is built by the company; it will only have API protocol types the organization wants to support.
You should use an internal API if you're trying to integrate two or more of your internal systems, such as your CRMs or logistics suites. Many companies develop internal APIs to talk to systems like Salesforce, which provide the backbone of their infrastructure.
Internal APIs may also be called private APIs. They should not be connected to from outside of a system. Generally, you should only use an internal API if there isn't already a published API available for the suites that you're trying to connect. There's little advantage to reinventing the wheel — and creating an internal API means that it also has to be maintained by an internal software development team.
Partner APIs are shared directly with technology and business partners, so only authorized clients can use that API. A payment processor, for instance. Partner APIs are secured by the partner and are generally very secure. Partners sometimes share multiple API protocol types, especially if they support multiple use cases.
You should use a partner API if you are connecting with a solution that provides one (not every solution does; some require that you code your own integration). If you're creating an ecommerce portal, for instance, you can connect to the PayPal partner API to process payments — instead of having to process payments yourself.
A partner API differs from a public API in that it's only for a partner — someone with an established relationship with the software vendor. Generally, these web applications require some form of authentication (like having a PayPal account or an API key).
Composite APIs connect multiple APIs into a single data or process stream to streamline operations. Composite APIs are more secure than using multiple, individualized solutions, and they may also support multiple API protocol types. Frequently, there's a performance advantage to using a composite API.
Shopify, for instance, provides composite APIs that can sync large volumes of data and actions with other platforms, such as Etsy, eBay, and Amazon. Rather than having multiple APIs to manage the automation of inventory, shipping, and taxes across multiple storefronts, a single API can be used for syncing and integration. The API developer only has to support a single API, and the Shopify store manager doesn't have to manage multiple API endpoints.
API Protocol Types
APIs are built around given communication protocols. API protocols encompass the standards and process that an API uses to communicate — and the data format. An API can use multiple API protocols; for instance, you may be provided with the option of using a REST or SOAP API to integrate with an email server.
But, it's important to note that APIs are built around communication protocols, and communication is flexible. Most API protocol types can transmit virtually anything; it's a matter of workflow and process. The Google Maps API, for instance, provides a comprehensive web service that supports multiple types of interaction and connectivity. Most email systems use SOAP or REST, with server-side management for either.
APIs do not generally impact user experience (although they can if performance hinders them). Instead, APIs impact developer experience — how easy it is to connect and integrate with another system.
REST: Representational State Transfer
Introduced in 2000, REST is one of the more widespread forms of API. REST transmits data in multiple formats: JSON, Python, HTML, or Media. However, it can only transmit over HTTP/HTTPS protocols. REST is more flexible than SOAP (outlined below), but it is limited by its transmission types.
Components of a REST call:
- HTTP method (POST, GET, PUT, DELETE): the action that the API is taking.
- Endpoint (URL): the location the data is being sent to.
- Header: data about the data (such as the origination server).
- Body: the information actually held within the transmission.
A website can use a REST API to communicate with a database. It can GET information from the website, POST information to the website, PUT new information in place of old information, and DELETE outdated information.
Every time a user submits a contact form on a website, for instance, the website is generally POSTing that form data to the server. The server then sends that information to another process, which either logs the information into a database or sends an email.
RPC: Remote Procedure Call
RPC is potentially the oldest type of API, seeing use in the 70s and 80s in various formats. There are actually multiple types of RPC API, such as JSON-RPC and gRPC implementations. Regardless, RPC focuses on calling a process or action — essentially, an app tells a different app to complete a process internally.
RPC is much faster than REST, but the specifics depend on implementation. Unlike REST or SOAP, the message format varies. RPC is tailored toward a client-server architecture and generally over a network.
Components of an RPC system:
- Client: the requesting device.
- Client stub: how the client will package/unpackage its materials.
- RPC runtime: the messaging system (a courier between the client and server).
- Server stub: how the server will package/unpackage its materials.
- Server: the supplying device.
An ecommerce platform could use an RPC solution to send information to its inventory system. The ecommerce platform would bundle the sales information and send it to the inventory system via the RPC runtime. The inventory system would unpackage the information and run its internal data-logging processes.
The inventory system then bundles a response (containing information such as updated inventory totals) to the ecommerce platform. The ecommerce platform would then unpackage that information, using it to update its listings.
However, it should be noted that RPC calls are more likely to be network-based. For instance, an individual's business phone could send a call to the business' security system. The security system would then validate whether the business phone is secured enough to connect with the organization's internal network --- if the phone is secured enough, it would then be authenticated and passed through to the network.
SOAP: Simple Object Access Protocol
Introduced in 1998, SOAP is one of the simplest forms of API. SOAP transmits XML files, usually over HTTP/HTTPS, but also over SMTP, TCP, and UDP. SOAP transmissions are simple and broad, which makes them easy to deploy and hard to debug.
SOAP outlines a simple transmission mechanic. It packages things in an XML file (a standard file format). It's easy to build an XML file and complete a SOAP transmission, but because SOAP is so simple, it also has a wide margin for error.
Components of a SOAP:
- Envelope: the beginning/end of the message.
- Header: information about the message, such as authentication requirements.
- Body: the actual message.
- Fault: error messages.
Emails frequently use SOAP systems. A website can send an email to someone embedded within a SOAP envelope. The header would describe who the information was to/from, the body would be the email message, and the fault codes would relate to email failure (such as an email getting bounced).
However, this also highlights one of the flaws of the SOAP system. It is simple enough that it can also be taken advantage of. In an email, a header can be "spoofed" to seem like it came from another recipient entirely. There is no built-in authentication to any of these API protocols; that has to be handled by the sending and receiving devices.
APIs vs. Web Services and SDKs
Beyond knowing what a web API is, it's important to know what web APIs aren't. APIs are frequently confused with SDKs or web services, both are similar but not identical.
Web services are a type of API built for the web. SOAP and REST are web services API types. While RPC can be used to build web APIs, it isn't a web service — RPC is primarily a method of interacting within a network.
All web services are APIs, but not all APIs are web services. To be a web service, a web API needs to support both XML formatting and HTML transmission. Web services can become extremely complex, depending on the systems that are being connected to.
SDKs will frequently include APIs, but they also include other fundamental components and building blocks of software, such as general libraries. Further, APIs aren't always included in SDKs — a developer working with an SDK may still need to integrate or compose an API if one isn't available.
Deploy API Integration Faster With Stream
We live in a connected world, and fast, real-time communications become more important every day. Deep API integration facilitates communication not just between applications but between people.
Luckily, most companies will never need to develop an API on their own — or even learn more about API protocol types. Instead, they just need to find the right API for their use cases.
Stream makes it easier to integrate with communication-focused APIs designed for scale. Stream provides best-in-class:
- Chat messaging APIs. Build in-app chats quickly with Stream's Chat API, SDKs, and UI/UX kits powered by the Global EDGE network. Improve user experience, generate leads, build communities, and create relationships with real-time person-to-person interactions.
- Activity feeds. Create lightning-fast, enterprise-grade activity feeds that can scale to over 100 million users. Build social media sites, ecommerce sites, and communities with a feeling of connection.
Try Stream's powerful chat and activity APIs today: Start your free trial.