26th Oct 17By John Doe

Developing APIs are getting more and more popular, but still, it’s a bit blurry field for many developers.  We collected some common questions and tried to answer them in one place.

01. What are APIs in general?

Wikipedia provides a helpful and understandable description of APIs in general. But let’s summarize the fancy words. We have an interface where we allow other services to perform CRUD actions.

Of course, some APIs are more complicated, and some just share data and don’t offer any editing action.

02. What does RESTful mean?

Again if you have interested the whole architecture, you should dig a bit deeper. It means an endpoint structure where the different endpoints refer to different actions. Of course, this is not that simple.

We use different HTTP methods to make a difference between the endpoints. Let’s see an example:

# List all the posts
GET   /posts

# Create a post
POST  /posts

# View a post
GET   /posts/{id}

# Update a post
PATCH   /posts/{id}

# Delete a post
DELETE  /posts/{id}

As you know, we use different endpoints for different actions. In Laravel, we can bind the controller methods to the endpoints and perform the proper operation.

03. What is a stateless API?

If you are interested more in the difference between stateful and stateless services, you should read this article. But we try to focus on simplicity so let’s reduce it down.

In stateful services – like a traditional web service – a user has to log in with its email/password combination and the service stores in the session the authenticated user. We store the data in the “state,” and we retrieve the data from it whenever we need.

Stateless services work differently. The session is remote, that means the API service does not handle it. The remote session stores the credentials that we need to attach to the request what we send to the API. The point is, the API does not save any state, it processes credentials sent from a state.

04. How does API authentication work?

Mostly, APIs identifies the user from a token. It can be attached as a query string or as a header parameter. There are two popular token based authentications:

The first is the API token authentication when the user has a unique, previously generated token. If we send the token with the request, the API service authenticates the user behind the scenes. Laravel supports this approach by default.

The other way is to use JSON web tokens. It’s a more complex approach but offers more possibility and security. By default, Laravel does not support JSON web tokens, but there is an excellent package to do that.

Also, you may use Laravel Passport for OAuth2 based API authentication.

05. Why Laravel has a “web” and an “api ” middleware group?

It’s connected to the stateful – stateless section. The API layer has different needs and options than the web layer. For example:

  • No session: the API middleware does not include session handling,
  • API Rate limiting: the number of requests is limited to the given number,
  • No CSRF token validation: an API authenticates the request by the API token, not by the CSRF token,
  • No Cookie encryption.
If you are using Route-model binding in your API controllers, make sure you added the “bindings” middleware to the API middleware group.