API stands for application programming interface, which is a boring way of saying “a way for computers to easily talk to one another.”

Tell me more.

If you open up the New York Times homepage, you see all kinds of stuff - headlines, bylines, links, images, etc etc, all associated with one another. It’s easy for you to know that the big stuff is a headline, the stuff on the side is less important, and what images go with what stories. We’re humans, we’re great at context!

For a computer, though, it’s a little more problematic. Things that are simple for humans to understand are often very difficult for a computer to read! Computers like lists and dictionaries and sometimes even CSV files, but not random webpages filled with information.

Since computers aren’t good at reading the information on web pages, programmers have developed a special way of having computers talk to each other called APIs - application programming interface. These APIs are usually the same kinds of URLs that you can visit in the browser, but instead of a normal pleasant web page you’ll see data formatted in a very structured way that is easy for computers to read.

Show me!


Authenticating with an API

Sometimes APIs are just web pages that anyone can visit on the internet, but a lot of the time they aren’t just open to everyone. You need to register on the site and prove who you are every time you use the API. This is called authentication.

Type 1: Open APIs

For an open API, you don’t need to use anything to prove who you are.

Type 2: API keys

The most common level of API authorization is using API keys. These are long strings of characters that you send along with your request to prove who you are. When you sign up for the service, your provider gives you an API key to use to identify yourself.

For example, forecast.io has an API that you can use to get the weather. Let’s say your API key is 15274402c474b3dab67f7377e1f95517, you might use the following URL to get the forecast for the latitude/longitude pair 37.8267,-122.4233:


Every time that URL is visited, Forecast.io’s server looks me up and say “Oh, okay, I know who that request is from!” and keeps track of me. Why does it need to know? Some companies just like to know who is using their APIs, but forecast charges if you go over a thousand requests a day - I’m probably using their API for business, so they feel like they deserve a cut.

Type 3: OAuth APIs

OAuth APIs are the grown-up version of API keys. They’re… a little complicated and I’ll write more about them later.