4. Understanding and Using APIs
What are 2 Cisco webhook examples?
2 examples of this concept are: Cisco DNA Center: enable 3rd party apps to receive network data when specific events occur. Cisco Webex Teams: get notification when a message is posted, without relying on a polling mechanism.
What are 3 commonly used response header keys that provide rate limit details?
3 commonly used keys are: X-RateLimit-Limit max requests allowed in specified unit of time. X-RateLimit-Remaining number of requests remaining in current rate limit window. X-RateLimit-Reset The time that rate limit window will reset.
What are 4 ways that a REST API request can provide an API Key?
4 ways this can be provided are: Query string: use for Public API Keys only. Header: uses the Authorization key or a custom key Authorization: <API Key> Authorization: APIkey <API Key> APIkey: <API Key> Body data: uses a unique key as the identifier Content-Type: application/json Cookie: uses a unique kay as the identifier Cookie: API_KEY=<API Key>
What are 5 common 5xx Server-side Error return codes?
5 of these common 5xx return codes are: 500 : Internal Server Error : server encountered unexpected condition preventing request fulfillment. 501 : Not Implemented : server doesn't support the functionality required to fulfill the request. 502 : Bad Gateway : while acting as a gateway or proxy, server received invalid response from an inbound server it accessed while attempting to fulfill the request. 503 : Service Unavailable : server is currently unable to handle the request due to a temporary overload or scheduled maintenance. 504 : Gateway Timeout : while acting as a gateway or proxy, server didn't receive a timely response from an upstream server it needed to access to complete the request.
What are 9 common 4xx Client-side error return codes?
9 of these common 4xx return codes are: 400 : Bad Request : request not understood by the server, bad syntax 401 : Unauthorized : server can't authenticate the request. 403 : Forbidden : server recognizes authentication, client not authorized to perform the request. 404 : Not Found : nothing found at the request URI 405 : Method Not Allowed : server recognized the request, specified method in request rejected by server. 406 : Not Acceptable : server has that data but can't represent it using any options listed in client's Accept- header. 407 : Proxy Authentication Required : client must first authenticate itself with the proxy. 409 : Request Could Not Be Completed : due to a conflict with the current state of the target resource. 415 : Unsupported Media Type : client sent a request body in a format (XML, JSON, YAML) that server doesn't support.
Why use APIs?
A few of the many use-cases for this include: Automation tasks, Data integration, Functionality.
What is REST API: API Key?
Also known as API Token, this REST API authentication mechanism is a unique server-generated alphanumeric string that's assigned to a user; obtained by logging into a portal using their credentials. There are 2 types of these: Public and Private. Only secure when used with HTTPS.
What is REST API: Bearer Authentication?
Also known as Token Authentication, this REST API authentication mechanism is more secure than Basic Auth, typically used with OAuth and Single Sign-On (SSO), and uses a bearer token; a string generated by an authentication server such as an Identity Service (IdS). It should be used with HTTPS.
What are REST API Responses?
Essentially an HTTP response, these communicate the results of a client's HTTP request; the data requested, notification that server received the request, inform the client of any problems with the request.
What error code does the server Respond with if it can't provide any of the requested data compression types?
If the server can't provide any of these it will respond with the error code: 406 : Not Acceptable
What 3 steps should be performed for all REST API requests that have a return status code?
In a case such as this, the 3 steps are: 1. check the return code. 2. check the response body for a message sent along with the return code. 3. if the issue can't be resolved with steps 1 or 2, check the status code reference to understand its definition
What are the 3 common architectural styles of API?
The 3 most common types of these are: RPC (remote procedure call), SOAP (simple object access protocol), and REST (representational state transfer).
What are 4 common algorithms used to implement API Rate Limits?
The 4 common ways include: -Leaky bucket -Token bucket -Fixed window counter -Sliding window counter
What are the 4 major components of a REST API request?
The 4 major components of this API request type are: -Uniform Resource Identifier (URI) -HTTP Method/Verb -Header -Body
What are the 5 categories of HTTP Status codes?
The 5 categories of this code-type are: 1xx: informational server received the request but not done processing it. 2xx: success server received and accepted the request: Synchronous: response contains applicable data. Asynchronous: confirmation request was received, still needs fulfilling. 3xx: redirection client has additional action to take for the request to be completed. 4xx: client error request contains an error; bad syntax, invalid input. 5xx: server error server unable to fulfill the request even though the request is valid.
What are the 6 constraints that can be applied to any protocol, making it RESTful?
The 6 constraints that can be applied to any protocol, making it RESTful, are: Client-server Stateless Cache Uniform Interface Layered System Code-On-Demand
How do you know what rate limit is used by an API?
The APIs documentation provides this detail, and it may also be found in the response's header.
What are the accepted values when requesting data compression by adding the Accept-Encoding field to the API Request header?
The accepted values for this request are: -gzip -compress -deflate -br -identity -*
What are the suggested mappings for the HTTP Methods/Verbs: POST, GET, PUT, PATCH, DELETE?
The suggested mappings for these are: POST: Create: create a new object or resource GET: Read: retrieve resource details from the system PUT: Update: replace or update an existing resource PATCH: Partial Update: update some details from an existing resource DELETE: Delete: remove a resource from the system
What are REST API Sequence Diagrams?
These are used to explain REST API exchanges and events; Request/Response and asynchronous activity. They are considered a subset of a standardized modeling system: Unified Modeling Language (UML).
What are the 2 ways (design styles) that APIs can be delivered?
These can be delivered either synchronously or asynchronously.
What are some of the most common HTTP error codes: 200, 201, 202, 400, 401, 403, 404, 500, 503?
These most common codes are: 200 : OK : request successful. 201 : Created : request fulfilled, resource created. 202 : Accepted : 400 : Bad Request : error with request, won't be processed. 401 : Unauthorized : request has invalid authentication to perform request. 403 : Forbidden : authentication recognized, client is not authorized to perform the request. 404 : Not Found : request not fulfilled, resource path not found on server. 500 : Internal Server Error : request not fulfilled due to server error. 503 : Service Unavailable : request not fulfilled, server currently can't handle request.
REST API Responses are made up of what 3 major components?
These response-types are made up of HTTP Status, Header, and Body components.
How does the API Rate Limit algorithm: Sliding Window Counter work?
This API Rate Limit algorithm allows a fixed number of requests to be made in a set, but not fixed, duration of time. The counter is not replenished when the window begins again. Server stores the timestamp when a request is made, comparing new request to request-count to determine if it's processed or rejected. Client doesn't need to know when the window time starts or ends. Only needs to know that the rate limit is not exceeded at the time of request. Must design a way to delay requests to not exceed allowed rate and plan for rejected requests.
How does the API Rate Limit algorithm: Token Bucket work?
This API Rate Limit algorithm gives each user a defined number of tokens to use in a certain increment of time; accumulating until they are used. When client makes a request, server checks to make sure it contains at least one token; removing it to process the request or rejecting the request if no tokens are available. Client must calculate current tokens to avoid rejection, and handle rejections with a retry mechanism for when tokens are replenished.
How does the API Rate Limit algorithm: Fixed Window Counter work?
This API Rate Limit algorithm is similar to Token Bucket, except for two major differences: -uses a counter, not tokens. -counter doesn't accumulate. A fixed window of time is assigned a counter representing how many requests can be processed during the period. Client must know when the window of time starts and ends to know how many requests it can make in that duration, and must build a retry mechanism for when the next window starts.
How does the API Rate Limit algorithm: Leaky Bucket work?
This API Rate Limit algorithm puts all incoming requests into a request-queue, in the order received. Requests can come at any rate, server only process queued requests at a fixed rate. Requests are rejected if queue is full. Client must be prepared for delayed/rejected requests.
What is the asynchronous design style of API?
This API delivery format provides a response to signify that the request has been received, but no data is provided initially. The server then processes the request, sending a notification/triggers a callback with the data. APIs are designed in this way when the request is an action that takes some time for the server to process, or if the data is not readily available. The app making the request can continue code execution without being blocked while the server processes the request; resulting in possible better app performance when used properly.
What are synchronous design style of API?
This API delivery format responds to a request directly, providing data/response immediately. APIs are designed in this way when data for the request is readily available; stored in memory or a database. The app making the API request must wait for the data/response before performing any additional code execution tasks.
What is API Compressed Response Data?
This API feature is used when pagination is not an option for sending large amounts of data to reduce bandwidth usage. Requested by the client through the API request header by adding the Accept-Encoding field.
What is a REST API request?
This API-type request is a way for an application (client) to ask the server to perform a function that is predefined by the server and must follow the provided specification.
What is the REST API Response component: HTTP Status?
This REST API Response component uses standard 3-digit codes to inform the client of request success or failure. The code provides information for the client to determine the reason for an error.
What is the REST API Request and Response component: Body?
This REST API component contains the data pertaining to the resource that the client wants to manipulate. Optional, depending on the HTTP method used, but if data is present the data type must be specified in the header using the content-type key.
What is the REST API request component: HTTP Method?
This REST API component, AKA HTTP Verbs, tells the web service which action is being requested for the given resource.
What is the REST API Request and Response component: Request Header?
This REST API header type includes additional information not related to the content of the message.
What is the REST API Request and Response component: Entity Header?
This REST API header type includes additional information that describes the content of the message body.
What is the REST API request component: Uniform Resource Identifier (URI) or (URL)?
This REST API request component identifies which resource the client wants to manipulate, and consists of 4 components in this particular order: -Scheme -Authority -Resource Path -Query
What does the REST Code-On-Demand constraint state?
This REST constraint is optional as info returned by a REST can include executable code, or links to such code, that's intended to usefully extend client functionality; a potential security risk. Also made impossible-to-execute by firewalls and policy-management tools.
What does the REST Stateless constraint state?
This REST constraint states that requests from the client to the server must contain all of the information the server needs to make the request. The server cannot contain session states.
What does the REST Cache constraint state?
This REST constraint states that responses from the server must state whether the response is cacheable or non-cacheable. If cacheable, the client can use the data from the response for later requests.
What does the REST Client-Server constraint state?
This REST constraint states that the client and server should be independent of each other, enabling the client to be built for multiple platforms and simplifying the server side components.
What does the REST Uniform Interface constraint state?
This REST constraint states that the interface between the client and the server must adhere to 4 principles: Identification of resources: resource must be identified in the request as the individual object that the server will access and manipulate. Manipulation of resources through representations: representation of the resource from the server must contain enough data or metadata for the client to be able to manipulate the resource. Self-descriptive messages: each message must contain all the info for the recipient to process the message (protocol type, data format, requested operation). Hypermedia as the engine of application state: data sent by the server must include additional actions and resources for the client to access supplemental information about the resource.
What does the REST Layered System constraint state?
This REST constraint states that the system is made up of different hierarchical layers and that each layer provides services to only the layer above it; consuming services from the layer below.
What is the URI/URL component: Authority?
This URI/URL component consists of two parts that are preceded by two forward slashes: // is also known as the destination: -Host: The hostname/IP address of the server that is providing the REST API (web service). -Port: The communication endpoint (port number) that is associated to the host; always preceded with a colon. This can be omitted from the URI/URL if the server us using the default port: 80 for HTTP 443 for HTTPS
What is the URI/URL component: Resource Path?
This URI/URL component is preceded by a single forward slash represents the location of the resource/data/object that is to be manipulated by the server. It can consist of multiple segments that are separated by a forward slash.
What is the URI/URL component: Scheme?
This URI/URL component specifies which HTTP protocol should be used. REST API has two options: -HTTP (connection is open) -HTTPS (connection is secure)
What are API Rate Limits?
This allows a web service to control the number of requests a user or application can make per defined unit of time; best practice for public and unrestricted APIs. These help: -avoid server overload -provide better service/response time to all users -protect against DoS attacks
What is an Application Programming Interface (API)?
This defines how a programmer can write a piece of software to talk to an existing application's features, or build entirely new applications, using web-based interactions/communication protocols and/or its own proprietary standards.
What is API Response Pagination?
This feature reduces bandwidth usage on the network by paginating large amounts of data; such as search results.
What is simple access object protocol SOAP?
This is a messaging protocol used for communicating between apps that may be on different platforms or built with different programming languages. XML-based, built by Microsoft. Commonly used with HTTP transport but can be used over any protocol including: SMTP, TCP, UCP, JMS. Designed so all types of apps can communicate with each other. Extensions can be built on top of it; adding reliability and security features.
What is a REST web service API?
This is a programming interface that communicates over HTTP while adhering to the principles of the REST architectural style. Because they communicate over HTTP, they use the same concepts as the HTTP protocol: -HTTP requests/responses -HTTP verbs -HTTP status codes - HTTP headers/body
What is remote procedure call RPC?
This is a request-response API architecture model that lets an app (client-acting) make a procedure call to another app (server-acting) that's typically on another system within the network. With this style the client us unaware that the procedure request is being executed remotely because the request is made to a layer that hides those details. In its most common usage the client makes a synchronous request; being blocked by the server until the response is sent back by the server. To a client, this is just a method with arguments. When it's called, the method gets executed and the results get returned.
Who authored representational state transfer REST?
This is an API architectural style authored by American computer scientist Roy Thomas Fielding in chapter 5 of his doctoral dissertation: Architectural Styles and the Design of Network-based Software Architectures (2000).
What is a Webhook?
This is an HTTP POST, to a specified URL, that enables applications to get real-time data because they are triggered by particular activities/events; making apps more efficient since they don't have to have a polling mechanism.
What is a SOAP message?
This is an XML document that may contain 4 elements: Envelope: must be root element of the XML doc. Header: optional, must be the first child of the Envelope: element if used. Contains app-specific info such as authorization, SOAP attributes, app-defined attributes. Body: the data to be transported to the recipient. Must be in XML format and in its own Namespace. Fault: only 1 is optional, must be child element of Body if used. Provides error and/or status info.
What is REST API: Basic Authentication (Basic Auth)?
This is the simplest REST API authentication mechanism, very insecure unless paired with HTTPS. It transmits Base64 encode (not encrypted) credentials as colon-separated username/password pairs.
What is the REST API Request and Response component: Header?
This optional REST API component communicates additional information between the client and server using standard HTTP format, using colon-separated name-value pairs. There are 2 types Request and Entity.
What is the URI/URL component: Query?
This optional URI/URL component provides additional details for scope, filtering, or clarification of a request.. If present, it is preceded by a question mark and typically defined as a set of key-value pairs that are separated by an ampersand.
What is the REST API / OAuth process of obtaining a token called?
This process of obtaining a token is called a flow.
What is Open Authorization (OAuth)?
This system combines authentication with authorization; the recommended way of securing REST APIs currently is v2 which isn't backwards compatible.
How does OAuth work?
This system enables pre-registered applications to get authorization to perform REST API requests on a user's behalf without the user needing to share their credentials with the application itself. User's provide credentials to the authorization server; usually an Identity Provider or Identity Service, to get an access token that's shared with the application. Using the token as a Bearer Authentication.
What is REST API: Public API Key?
This type of API Key can be shared and enables that user to access a subset of data and APIs.
What is REST API: Private API Key?
This type of API Key should not be share as it is similar to a username/password.
What criteria must an app meet so that it may consume webhooks?
To consume these, and app must: -be running at all times to receive HTTP POST requests. -register a URI on the provider so it knows where to send a notification when a target event occurs. -handle the incoming notifications from the providing server.
How would you troubleshoot a REST API Request: Wrong domain?
To troubleshoot this error run a Python script that makes a request to a URI that has the wrong domain name.
How would you troubleshoot a REST API Request: Invalid URI?
To troubleshoot this error run a Python script that makes a request to a URI that is missing the scheme.
How do you know if a REST API using a secure HTTPS connection has an invalid certificate?
When the scheme of the URI is HTTPS, the connection performs a handshake to authenticate the client and server to one another. When using the requests Python library to make the request, and the SSL handshake fails, a traceback will contain: requests.exceptions.SSLError
What happens when the API Rate Limit is exceeded?
When this happens the server auto-rejects the request and sends back an HTTP response informing the user; usually in codes 429 : Too Many Requests or 403 : Forbidden The client must be coded for the specific API it is using.
How would you troubleshoot a REST API Request: IP Address accessible?
o troubleshoot this error run a Python script that makes the request to the URL and waits for a response.