API Glossary: REST, GraphQL, gRPC and Web API Terms Explained
Comprehensive guide to API terminology covering REST, GraphQL, gRPC, webhooks, authentication, and API design patterns for 2026.
What is an API?
API (Application Programming Interface) is a set of rules that allows software applications to communicate with each other. APIs define the methods and data formats for requesting and exchanging information. In 2026, APIs are the backbone of modern software — connecting frontends to backends, microservices to each other, and third-party services to applications. The most common web API styles are REST, GraphQL, and gRPC.
REST API Terms
REST (Representational State Transfer): An architectural style for web APIs using HTTP methods. Resources are identified by URLs, and operations map to HTTP verbs. GET retrieves data, POST creates, PUT/PATCH updates, DELETE removes. Stateless: each request contains all information needed. Endpoint: A specific URL that accepts API requests (e.g., /api/users/123). Resource: An entity exposed through the API (users, products, orders). Status Codes: 200 OK, 201 Created, 400 Bad Request, 401 Unauthorized, 404 Not Found, 429 Too Many Requests, 500 Internal Server Error. HATEOAS: Hypermedia As The Engine Of Application State — a REST constraint where responses include links to related resources.
GraphQL Terms
GraphQL: A query language for APIs developed by Facebook (2015). Clients specify exactly what data they need, eliminating over-fetching and under-fetching. Schema: Defines all available types and their relationships. Query: Read operation requesting specific fields. Mutation: Write operation that modifies data. Subscription: Real-time data updates via WebSocket. Resolver: Server function that fetches data for a specific field. Apollo and Relay are popular GraphQL client libraries.
Authentication and Security
API Key: A simple token passed in headers or query parameters to identify the caller. Easy to implement but limited in security. OAuth 2.0: An authorization framework allowing third-party access without sharing credentials. Flows: authorization code, client credentials, device code. JWT (JSON Web Token): A compact, signed token containing claims about the user. Used for stateless authentication. Structure: header.payload.signature. Rate Limiting: Restricting the number of API requests per time period. Prevents abuse and ensures fair usage. Common headers: X-RateLimit-Limit, X-RateLimit-Remaining, Retry-After. CORS: Cross-Origin Resource Sharing — browser security mechanism controlling which domains can call your API.
API Design Patterns
Pagination: Breaking large result sets into pages. Cursor-based (opaque token) is preferred over offset-based for large datasets. Versioning: Managing API changes without breaking clients. Strategies: URL path (/v2/users), header (Accept: application/vnd.api+json;version=2), query parameter (?version=2). Webhook: A callback URL that receives notifications when events occur. Reverse of polling — the server pushes data to the client. Idempotency: Ensuring that making the same request multiple times produces the same result. Critical for payment APIs and retry logic. Use idempotency keys in request headers.
gRPC and Modern Protocols
gRPC: A high-performance RPC framework by Google using Protocol Buffers for serialization and HTTP/2 for transport. Supports streaming, is strongly typed, and generates client/server code automatically. 2-10x faster than REST for internal microservice communication. Protocol Buffers (Protobuf): A language-neutral binary serialization format. Smaller and faster than JSON. Requires a .proto schema file. WebSocket: A persistent bidirectional communication channel over a single TCP connection. Used for real-time features: chat, live updates, collaborative editing. Server-Sent Events (SSE): A simpler alternative to WebSocket for one-way server-to-client streaming. Used by ChatGPT and Claude for streaming responses.