What is API (Application Programming Interface)?

In depth

An API (Application Programming Interface) is a predefined contract describing how two programs interact. Every modern digital app is a network of APIs: website → backend API → database; mobile app → REST API → microservices; payment form → Stripe API → bank settlement. In 2026 ProgrammableWeb tracks 51,000+ registered public APIs.

Main API architecture patterns: (1) REST (Representational State Transfer) — Roy Fielding's 2000 PhD thesis; HTTP methods (GET, POST, PUT, PATCH, DELETE) + URL paths (`/users/123`); JSON response. Most widespread in 2026 — 80%+ of public APIs. Pros: simple, cacheable, stateless. Cons: over-fetching (unused fields), under-fetching (multiple calls needed).

(2) GraphQL — Facebook (2012, open-sourced 2015); single endpoint, client declares the fields it needs. Query language: `query { user(id: 123) { name email posts { title } } }`. Solves over/under-fetching. Used by GitHub API v4, Shopify Storefront API. Trade-offs — harder caching, learning curve, server-side resolver complexity.

(3) gRPC — Google (2015, open-sourced 2016); HTTP/2 + Protocol Buffers (binary, smaller payload). 7-10× faster than REST. Great for high-performance microservices internal comms (Netflix, Uber). Less suitable for browsers (no native support, gRPC-Web required).

(4) WebSockets — bidirectional persistent connection. Real-time use cases: chat (WhatsApp Web, Slack), live dashboards, collaborative editing (Figma, Google Docs), trading platforms. Server-Sent Events (SSE) — alternative one-way (server → client) push for notifications and live feeds.

(5) Webhooks — "reverse API" — server pushes to a consumer on event. Payment webhook (Stripe charge.succeeded → webhook URL → POST /api/webhooks/stripe). Standard HTTP POST + JSON payload + HMAC signature verification.

API authentication in 2026: (1) API Keys — simplest, sent in header (`Authorization: Bearer XXX`); common for server-to-server; (2) OAuth 2.0 — three-legged flow for user authorisation; Google, Facebook, GitHub login; (3) JWT (JSON Web Tokens) — stateless tokens, RFC 7519; iss, sub, exp claims signed via HMAC or RSA; Auth.js / NextAuth.js uses it by default; (4) mTLS (mutual TLS) — client + server certificates; high-security (banking, healthcare); (5) HMAC signatures — for webhooks (Stripe, GitHub).

Rate limiting & best practices: (1) `429 Too Many Requests` response when limits are exceeded; (2) `X-RateLimit-Limit`, `X-RateLimit-Remaining`, `X-RateLimit-Reset` headers; (3) token bucket or leaky bucket algorithms; (4) Redis or Upstash-backed (Craftwebstudio uses Upstash at 100 req/min); (5) versioning (`/v1/users`, `/v2/users` or Accept-Version header); (6) pagination — cursor-based or offset-based; (7) error handling — RFC 7807 Problem Details JSON.

Notable Georgian-market public APIs: (1) BoG API (https://api.bog.ge) — banking, accounts, transfers, e-commerce; (2) TBC Open Banking — PSD2 compatible aggregator API; (3) RS.ge — Georgia Revenue Service, invoice automation; (4) e-Georgia ID API — government auth; (5) Crystal Capital — credit scoring; (6) Tegeta delivery API — last-mile logistics; (7) Bolt.eu — ride-hailing webhook API. Craftwebstudio shipped 12 client integrations with Georgian banks between 2024 and 2026.

Tools & ecosystem: (1) Postman ($0-$15/mo) — API design + testing standard; (2) Insomnia (free) — Postman alternative; (3) OpenAPI/Swagger — REST API specification format; (4) Stoplight, Redocly — API documentation generators; (5) Hoppscotch (open-source Postman alternative); (6) Zapier, Make (low-code API integration). Craftwebstudio uses Redocly Cloud + GitHub Actions for client API documentation.