Logo for Si Novi, a UK-based software consultancy Logo for Si Novi, a UK-based software consultancy
Insights

API development: building secure and performant APIs

6 min read
Photo from AWS Summit London 2024
Profile image of James Galley James Galley
Share: Bluesky Linked In Mastodon

Building secure and performant APIs; an introduction

APIs - Application Programming Interfaces - are how separate software systems talk to each other. They let one application share its data and functionality with another, and almost every modern web or mobile app depends on a handful of them.

Whether you're building a simple app or a large enterprise system, the APIs underneath it need to be secure and quick. Get that wrong and everything built on top of them suffers.

In this article we look at what APIs are, how we build custom ones, how we consume existing ones, and the security and performance points that matter most.

What is an API?

An API is an interface, or communication protocol, between two systems. APIs let systems talk to each other using a defined language and a clear set of rules for requests and responses.

  • Web APIs (HTTP-based): The most common form, often used for web services like REST (Representational State Transfer) and GraphQL.
  • Library APIs: These APIs allow one application to call functions or classes from another software library.
  • Operating System APIs: Expose the functionalities of an OS to software applications (e.g., Windows API, POSIX API).

Modern web and mobile applications lean heavily on web APIs, with RESTful APIs the usual choice for their simplicity and scalability.

REST APIs vs GraphQL APIs

  • REST follows a resource-based approach and typically operates using standard HTTP methods (GET, POST, PUT, DELETE) for operations on resources.
  • GraphQL, on the other hand, allows clients to query for exactly the data they need, making it more flexible, though often more complex to implement.

Modern web applications use APIs constantly, passing data back and forth between servers and the client.

For a business, building APIs into your systems opens up integration, data transfer, digital transformation, and reporting and analysis.

At Si Novi we've built plenty of bespoke APIs and consumed plenty of existing ones, in data formats like JSON, HTML and XML.

Creating custom APIs

You build a custom API when you need to expose your own services or data to other applications, whether that's inside your business or out to the world. It's what lets you automate processes, improve the customer experience and build new products on top.

At Si Novi we design and build bespoke APIs, usually with back-end technologies like PHP, Node.js and MySQL. We also build them serverless with AWS Lambda, and pairing that with services like API Gateway, CloudFront and Cognito brings caching, performance and authentication along for the ride.

Key steps in creating an API:

  1. Define what the API needs to do - Start by outlining the specific functionality your API will provide. For example, an e-commerce platform might need an API to manage product listings, inventory levels, and customer orders.
  2. Choose the right structure - The most common type of API is a REST API (Representational State Transfer), which uses simple web technologies (like HTTP) to allow different systems to communicate. It's flexible, widely used and scales well.
  3. Keep it consistent, and version it - APIs should be structured logically, with clear endpoints for each feature (e.g., /orders, /products). Versioning ensures that when updates are made, older versions still work for those relying on them.
  4. Document it - Clear documentation is key. It helps developers who will use your API understand how it works, what data it requires, and how to integrate it into their systems. Tools like Swagger can help generate user-friendly API documentation.

Consuming APIs

We're often asked to consume data from existing APIs, whether they hand back JSON, XML or some other data structure.

Consuming an API just means using someone else's API to bring external services into your own. Plenty of businesses rely on third-party APIs to extend what they offer, connect to cloud services, or reach data they couldn't otherwise get at.

We're comfortable building on top of existing PHP and JavaScript software to consume API data and bring external data into your application.

Typical use cases in this scenario are:

  • Using an external service to enhance your SaaS platform or web application offering
  • Aggregation of data feeds into a database, data lake or statistical dashboards
  • Monitoring of external systems with event triggers and alarms
  • Digital Transformation projects focused on removing duplication of data; allowing several systems use the data from a central source

Securing APIs

APIs handle sensitive business data, so securing them isn't optional. A weak API is an open door - a way into your business and your customers' data - so it's worth getting right and protecting the trust people place in you.

API security measures include:

  1. Use HTTPS - Encrypt communication between your API and external systems by always using HTTPS. This protects data from being intercepted.
  2. Require authentication - Ensure that only authorised users or systems can access your API by implementing security protocols like API keys, OAuth, or JSON Web Tokens (JWT).
  3. Limit access and monitor activity - Not every part of your API should be accessible to everyone. Control who can do what, and monitor usage to identify any suspicious activity early.
  4. Implement rate limiting - To avoid overloading your systems or abuse, you can limit the number of API requests a user or system can make over a set time period.

Optimising API performance

A slow or unreliable API drags down everything that depends on it. Whether you're managing customer data, inventory or orders, how the API performs feeds straight into the user experience and the efficiency of your operations.

Here are some ways to improve API performance:

  1. Reduce payload sizes - Avoid sending unnecessary data. For example, if you're querying a customer database, you don't need to return every field, just the relevant data.
  2. Implement caching - Caching stores responses for commonly requested data so that future requests can be served faster, without needing to retrieve the same information repeatedly.
  3. Use content delivery networks (CDNs) - If your API delivers large or static files (like images), CDNs can distribute this content more efficiently, improving load times for users across different regions.
  4. Optimise database queries - Ensure that the data your API pulls is retrieved efficiently. Poorly optimised queries can slow down response times and create bottlenecks in your system.

The business value of APIs

APIs are more than a technical detail - they're a genuine business asset. By letting different systems talk to each other efficiently, they help a company move faster, cut operational cost and improve the customer experience.

  • Expand services: With APIs, you can easily integrate new services or third-party tools into your existing business framework. This can help you grow your product offerings or simplify internal processes.
  • Boost productivity: Automating manual tasks through API integrations reduces time spent on routine operations, freeing up your team to focus on the work that matters.
  • Improve customer experience: APIs enable real-time data sharing, which can enhance customer service (e.g., live order tracking or personalised experiences).

Conclusion

APIs sit at the foundation of most modern software. Whether you're building your own or consuming someone else's, security, performance and scalability are the things to keep front of mind. If you're planning a project that leans on APIs, or you've inherited one that isn't behaving itself, get in touch and we'll help you build it properly.

Do you have any thoughts on this article? Get in touch: hello@sinovi.uk

Authored by

Profile image of James Galley James Galley

Related news, insights & industry commentary

All articles