APIs are the building blocks that enable separate applications to communicate so that an organization’s trove of data is easier to share and consume. This type of system integration is crucial to many businesses, but inconsistent API design and development can cause serious problems.
That’s where API standards come in, giving developers a consistent framework and ensuring effective interoperability between systems and apps. Stable and reliable APIs lead to enhanced user experiences and help to keep sensitive data protected.
But precisely what are API standards and how do they differ across industries? In this post, we’ll take you through everything you need to know.
A recap: What are Application Programming Interfaces (APIs)?
You probably already know what an API is (in which case, feel free to skip to the next section), but let’s do a quick recap for anyone who needs a reminder.
API stands for Application Programming Interface. This is a software intermediary, or a set of protocols, that enables unrelated software applications to “talk” to each other.
By using the API as a go-between, a software application can access resources within another application or service and exchange data, features, and functionality.
How do APIs work?
APIs act as a bridge that creates a connection between software applications or systems. When an application makes a request for data or functionality, the API facilitates the exchange by making an “API call” to the web server. This call provides instructions for performing the required action.
Here’s how that works in step-by-step form:
- The first application (the “client”) initiates the request via the API’s URI (Uniform Resource Identifier).
- The API puts in a call to the server.
- The server responds to the API with the requested information.
- The API transfers the data to the client.
If you’ve ever logged into a website with your Google or Facebook profile login details or purchased something from an ecommerce site using a third-party payment system like Apple Pay, you’ve seen APIs at work. Or rather, you haven’t, because they do their thing behind the scenes.
APIs exchange data within the computer or application, with nothing to see on the user interface. Other examples include the integrations built into SaaS platforms or connections between IoT (Internet of Things) devices—such as doorbell cameras sending images to your cell phone.
APIs enable applications to share only information relevant to the specific request, in small packets of data. They keep any other system details hidden for security purposes.
Types of APIs
- Private APIs are typically used by in-house developers to integrate an organization’s IT systems or apps or to build new systems on top of existing infrastructure.
- Partner APIs are used when business partners want to integrate their respective software.
- Public APIs (aka developer-facing or external APIs) are made available to third-party developers.
Because of the different types of APIs—and the growing number of apps and systems that use them—it’s necessary to have a set of protocols that define accepted data types, commands, and syntax for standardized data exchange.
API specifications include SOAP (Simple Object Access Protocol), RPC (Remote Procedure Call), GraphQL, and REST (Representational State Transfer), which we’ll hear more about shortly.
What are API standards?
API standards are sets of conventions or best practices for creating and implementing APIs. They provide guidelines for developers, helping them to design, build, and manage their APIs in a consistent way.
Standards can include protocols for security and compliance, naming conventions for resources, and sustainability policies.
How is this different from API specification or documentation? API specification outlines the essential elements of the API—it’s usually put in place before building begins. Documentation describes how to use and integrate the API effectively.
Consistent design and functionality in APIs makes it easier for disparate apps and systems to communicate and integrate. When APIs adhere to widely used standards, you’ll also save time and resources because there’s no debate over which format to use.
Using standards is also a key part of good API governance. You can make them part of your own rules and processes for API usage and make sure they’re applied across the enterprise. This helps to ensure API quality, security, and consistency.
So, what are the API standards developers should use and who sets them? Well, that can depend on your project’s requirements, your industry, and your goals. While there’s no definitive list of API standards, you can find sets of conventions for your industry or follow guidance from standards bodies.
Some well-known standards bodies include:
- The OpenAPI Initiative (OAI), which steers OpenAPI Specification (OAS) development
- The GraphQL Foundation
- The AsyncAPI Initiative
- The IETF Working Group
- The W3C Web of Things (WoT) Working Group
There’s nothing to say you can’t decide to set your own standards for your organization, taking inspiration from existing conventions. If you’re building an API on behalf of a government or a public service, though, you’ll usually have to adhere to their own set of standards.
For example, the UK government recommends using the REST API style and OpenAPI Specification (OAS), plus its own Technology Code of Practice and Data Standards Catalogue.
The Australian government also mandates REST as the basis for design, rather than older API types, such as SOAP. The European Commission has specific API requirements for the banking and financial sectors, called Payment Services Directive 2 (PSD2).
The REST API philosophy: An underpinning of many API standards
Many established API standards have their foundations in the “REST” style of APIs. REST stands for representational state transfer, which is an architectural style based on specific design principles. This philosophy underpins the idea of consistent standards for API design and implementation.
Much like other types of APIS, REST APIs enable different systems to communicate and share information seamlessly. The difference is that REST’s constraints and properties are based on HTTP, making it ideal for web services.
REST treats networked components as resources, which can be identified and accessed using standard HTTP methods. Data entities, including images, text documents, and GET requests, are accessed using URLs.
As an alternative to other web service architectures, REST is designed for scalability, authentication, performance, and ease of modification.
RESTful APIs are increasingly important due to the growing complexity of digital ecosystems and the need for interoperability between apps. They’re a crucial element in software development for web services and mobile applications, and they’re commonly used to connect components in microservices architectures.
Here are the key principles of the REST philosophy:
- Statelessness: Server applications aren’t permitted to retain any data related to a client request. That means every request has to include all the necessary information for understanding and processing it—with no further context required. Requests can therefore be met by any available server.
- Client-server decoupling: In RESTful systems, client and server applications must be completely independent of each other. There’s a clear separation between the client (usually the user interface) and the server (data storage).
- Uniform interface: If the interface is uniform and consistent, interactions are simpler, and systems can evolve separately with decoupled architecture. All API requests for the same resource should look the same, regardless of where the request comes from.
- Layered system architecture: Components in REST systems are arranged in layers, each with its own specific functionality. With modular architecture, the components of one layer can only interact with layers immediately adjacent to them.
- Cacheability: Responses from the server can be cached on the client side, which means clients can reuse previous responses. This lessens the need to repeat requests, so the caching process reduces the number of interactions and improves performance.
- Code on demand: The code-on-demand principle (which isn’t always used as part of REST) allows servers to send executable code to the client, which extends the client’s functionality.
Thanks to their scalability, flexibility, portability across different platforms and devices, and reduced development time and cost, REST APIs have been widely adopted.
You can use the principles in the image below to create standards for your own APIs:
General examples of API technical and data standards
Now, we’ll take a look at some of the more general technical and data standards for APIs, which you might want to implement in your organization:
Naming conventions
Your API standards should emphasize consistency when assigning names to any type of resource provided by your API. Otherwise, users will get confused, and they’ll have to reread documentation.
For instance, it makes sense to always use plural nouns for URIs that represent collections of resources—and to avoid changing names of resources between versions, as this could damage integrations.
Request and response
API data standards also cover consistent request and response HTTP protocols. You might mandate exposing only HTTPS TLS-encrypted endpoints. For example, restrict developers to using TLS versions “n” or “n-1” and not redirecting HTTP to HTTPS.
Alternatively, you could insist on the JSON Data Interchange Standard when structuring REST API response formats.
Error handling
Another common API data standard involves matching error codes with standard HTTP response codes.
Error codes have to be consistent and easy to read so that it’s easy to identify where and when the error has occurred. An organization might standardize documentation of all error codes.
Cacheability
As discussed in the REST section, making your API responses cacheable improves their performance and scalability, reducing bandwidth, latency, server load, and the risk of network failures. This is why organizations often include cacheability in their API technical standards.
Reuse policy
Because it’s faster and simpler to reuse an existing API than to create a new one from scratch, you could make this approach the standard for your enterprise. You’d need to implement rules about checking for existing APIs at the start of the project and ensuring they have the right functionality for the use case.
It’s also important to check the license, as there’s a difference between open and commercial APIs.
API-first software design
With an API-first policy, the software design process begins with API creation. The interface for a web platform or a mobile app is then built around the API.
Guidelines for this approach could form part of your API standards. (Of course, this isn’t possible if you’re building an API for a legacy system in which the platform or service already exists.)
Security
API technical standards often include directions for building top-notch security into the API’s design.
For example, this could include classifying data and identifying regulatory controls, as well as controlling access, using TLS 1.2 or above, and monitoring for any unusual activity.
Encoding
You can also put standards in place to ensure consistency in encoding practices. For example, Unicode is the universal standard for encoding, representing, and handling text in most global writing systems.
Using the UTF-8 standard to encode APIs will help to ensure that the text will remain stable over time and across different technologies.
Testing
Standards for testing your API design are useful for checking functionality, security, and compliance.
As well as setting up a sandbox, you can create guidelines for iterating the design based on feedback—and for versioning, to make sure the changes you make won’t prevent older versions of your API from working properly.
Benefits of API standards
Creating and following API standards brings numerous advantages to your organization in terms of consistency, productivity, reduced costs, and faster time-to-market. Let’s check out some of the key API standards benefits:
Ensuring consistency across applications
When everyone adheres to API standards, you’ll know that no matter who develops the API or where it's developed, it will have a common language and behave in a predictable way. There are many “correct” ways to design APIs, but with a consistent framework, different teams can follow a unified approach.
Plus, everyone on the team will know what to do thanks to simple and relatable design standards—with no misunderstandings about how the API is meant to perform. Using a shared API lifecycle model and vocabulary also helps to simplify governance.
Improving reliability, stability, and user experience
Standards help you to ensure that your APIs and the applications they serve are reliable and efficient. With security and predictability by design, there shouldn’t be any unintended functionality in the messages between clients and servers.
This means an increase in the API’s expected uptime and fewer interruptions to service provision. Websites, such as ecommerce sites, can then handle increased loads without any impact on performance, as extra resources are automatically brought online at peak times.
For end-users of integrated apps, this leads to intuitive navigation, reduced glitches, and a better overall experience (especially when you also develop standards around user needs and relevant features). Clear standards for APIs also give developers a smoother experience and minimize the learning curve.
Increasing interoperability
APIs simplify and speed up software development because developers don’t have to create new applications every time—they can just integrate data, services, and capabilities from other apps.
Setting standards for interoperability means it’s easier for those different systems to communicate and share data, no matter what their internal architectures look like. Standardized APIs help to create a seamless user experience across multiple platforms thanks to efficient system integration.
Increased interoperability allows application owners to share data and functionality with departments across their organization or with partners and third parties. With simple and secure integration of features and services, businesses can easily interact with a range of software and systems, enabling them to scale more efficiently.
Catering for future integrations
Apart from determining how APIs should be designed and developed, standards also cover the way in which APIs should be updated. With clear guidelines in place, future modifications are easier to implement.
Policies for reusing existing APIs are also a good way to make future development simpler, as you can build one connection and reuse it multiple times. When sustainability is built into your APIs, they’ll keep working as new systems and technologies are introduced or older ones are transformed.
Understanding API standards in different industries
Just as there are different types of APIs for different use cases, there are different API standards for different industries. We’re going to take a look at four of the main industries in which API standards are important.
There are many API standards in other industries apart from the ones included here, so it’s wise to carry out your own research and find out which standards best apply to your situation.
Healthcare APIs
APIs are crucial in healthcare settings where data needs to be shared securely between healthcare providers, patients, partners, insurance companies, and government agencies.
In the digital era, this is often achieved through connected web and mobile apps, as well as IoT health devices, such as wearable heart monitors.
In the USA, under the “Interoperability Rule and Information Blocking” section of the 21st Century Cures Act, patients have the right to receive electronic copies of their health records. Healthcare providers have to comply with HIPAA regulations for protecting and securing electronic records.
To protect confidential data, such as patient health information (PHI), API standards are required to ensure secure connections between integrated apps. The key is to standardize how information is exchanged and protected while making it easy to share with others when needed.
For instance, if you’re building a healthcare API, you can secure it with access controls OpenID Connect and OAuth 2.0 identity. With standardized controls, you can specifically configure APIs to align with HIPAA requirements.
Patients can also state that they want their records to be shared with a third-party application, and this is done via Open FHIR® APIs. FHIR® (Fast Healthcare Interoperability Resources) is a specific API standard for exchanging health information.
FHIR® is maintained by a standards development organization called HL7® (Health Level 7), and it has been widely adopted in the industry and beyond. For example, Apple has adopted this standard to facilitate secure access to personal health information on iPhones.
Governmental APIs
Government is another area where data security is paramount. Especially since governments are increasingly using APIs to automate processes, provide access to services, and share data between local and central departments.
For example, the US Department of Agriculture runs a FoodData Central API for developers who need to incorporate nutritional data into their apps or websites. The National Weather Service has an API that provides weather data to software developers within and outside of government.
The US Census Bureau has a public API that provides access to various data sets and surveys while the Department of the Treasury is currently building a suite of open-source tools that will make standardized information about federal finances available to the public.
Most world governments have established standards for API design and development. These apply to anyone who creates or uses APIs for government and public projects (although the standards can also be used as guidance for private sector APIs). Typically, these would be aligned with wider government standards, protocols, and objectives.
In the UK, the government publishes guidance on designing, building, and operating APIs, alongside standards for delivering the best service to users. This is overseen by the Data Standards Authority (DSA), which works to improve how the public sector manages data.
On a similar theme, the Government of Canada has created official Digital Standards for API development. For instance, APIs must follow the RESTful model by default, and developers must measure and publish performance benchmarks.
Banking APIs
With open banking, customers can share financial information from their own bank, such as account balance and transaction history, with other financial providers or services who use the data to personalize products or make recommendations.
APIs enable financial websites and apps to talk to one another, but, of course, they need to be fully secure.
Standardized banking APIs are inherently more secure. API standards in this industry include things like encrypting data, using OAuth 2.0 for authorization, tokenizing confidential information, and carrying out regular security audits.
In the USA, there’s limited government regulation regarding API standards in the banking industry, but the market-driven approach has led organizations, such as the Financial Data Exchange (FDX), to move toward creating a common API standard.
We mentioned the EU’s Payment Service Directive (PSD2) earlier in this article, and European countries use various technical API standards to ensure compliance. These include standards outlined by Open Banking UK and The Berlin Group.
The APAC region works on a combination of market-led and government-driven API standards, with Singapore taking the former approach while Hong Kong favors the latter. Japan uses soft open banking standards.
In Australia, open banking standardization and regulation focuses on the individual, based around its Consumer Data Right (CDR) reform that enables consumers to access and share their data with accredited third parties. Protocols for sharing CDR data are defined by the Data Standards Body (DSB).
Automotive APIs
Automotive manufacturers are increasingly using APIs to enhance driver and passenger experiences. For instance, APIs can connect data from your car to your other devices so you can see if your battery is charged or tell your vehicle to turn on the AC before you even leave the house.
But in the global automotive supply chain, electronic data interchange (EDI) is still very much a thing. In many cases, it’s reliant on asynchronous file transfers of structured messages between manufacturers, suppliers, and logistics service providers.
This led some automotive vendors to develop and implement their own API-based solutions to improve transparency and agility in the supply chain. However, there were incompatibility problems, and a need arose for common API standards in the industry.
The automotive standardization body, Odette, developed a recommendation that combines existing EDI standards with new API-driven status messages. It uses OpenAPI to specify the process interactions between different supply chain participants.
These API standards are specified in “Automotive Supply Chain API for Transport Track & Trace2” (OA02), and “Technical Rules for the Use of API in Automotive Supply Processes” (OA01). We can expect to see more standards being developed as automotive API use increases.
OpenLegacy can help you uphold API standards even with legacy systems
As we’ve seen, API standards lead to consistency between applications, increased interoperability, and better security and compliance. With standards in place, developers anywhere can stick to a common set of rules and protocols—making for streamlined integrations and reduced errors.
If you’re building APIs to connect applications or platforms within a legacy system, standardization becomes even more important to ensure seamless sharing of data and functionality. OpenLegacy has the tools to help you achieve this.
For example, it enables developers with any skill level to automatically generate low-code and no-code APIs, which adhere to the relevant standards. This automation also has the benefit of eliminating human error from API creation, which makes your APIs more secure and helps you comply with regulations.
The OpenLegacy Hub encourages a standard, modular approach by providing visibility into the building blocks of APIs. This makes it easier to reuse and build on existing APIs to meet sustainability standards.
Plus, OpenLegacy enables you to generate documentation for the effective use of discovery and helps your organization to become AI-ready so that even complex legacy systems can benefit from AI. All of which paves the way for easier upholding of current and future API standards.
We’d love to give you a demo.
Please leave us your details and we'll be in touch shortly