API stands for Application Programming Interface. It is used to communicate between two systems /applications

REST API stands for Representational State Transfer Application Programming Interface.

It follows a set of rules for creating, reading, updating, and deleting data (called CRUD operations) using HTTP.

HTTP Method	CRUD	Description	Idempotent?
GET	Read	Retrieve data	✅ Yes
POST	Create	Add new resource	❌ No
PUT	Update	Replace entire resource	✅ Yes
PATCH	Update	Modify part of resource	✅ Usually
DELETE	Delete	Remove resource	✅ Yes

Both PUT and PATCH are used to update resources

PUT – Complete Replacement

PATCH – Partial Update

Code	Meaning	Used When
200	✅ OK	Request was successful and response is returned.
201	✅ Created	Resource was successfully created (usually after a POST).
400	❌ Bad Request	Client sent invalid data (e.g., missing fields, bad JSON).
401	🔐 Unauthorized	No valid authentication credentials provided (e.g., missing/invalid token).
403	⛔ Forbidden	Authenticated but not allowed to access the resource (no permission).
404	❓ Not Found	Resource does not exist at the given URL.
500	💥 Internal Server Error	Server crashed or had an unexpected error.

1. HTTP Request Structure

1. Request url

2. Request header

3. Request body

2. HTTP Response Structure

1. Status code

2. Header

3. Body

CORS (Cross-Origin Resource Sharing)

CORS is a browser security feature that controls how web pages from one domain (origin) can make requests to another domain.

CORS Error Example

When making a request from the browser (e.g. React frontend) to a different API, you might see in the console error:

                  Access to fetch at 'https://api.server.com/data' from origin 'http://localhost:3000' 
has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present...

How to Fix CORS?

The server (must allow access explicitly) , Access-Control-Allow-Origin: *

Both authentication and authorization are key parts of application security,

Authentication

Verifies identity (e.g., login with username & password)

Returns a token or session if successful

Authorization

Verifies permissions using token

Both query parameters and path parameters are used to send data in HTTP requests,

path parameters

It is part of the URL path.

it is mandatory

eg: /users/123

It is used to get/update/delete specific resource

query parameters

Appear after a ? in the UR

It is usually optional

eg :/users?role=admin&page=2

It is used to filter, sort, or paginate results.

Why Version Your API?

Avoid breaking existing client apps

Add new features without disrupting old behavior

handle versioning

URI Path Versioning : Include the version in the URL path.

eg: GET /api/v1/users , GET /api/v2/users

Rate limiting is a technique used to control the number of requests a client (user, IP, or app) can make to an API within a given time window.

Why Use Rate Limiting?

Control traffic and maintain server performance

How Is It Implemented?

Use Laravel's built-in middleware:

             Route::middleware('throttle:60,1')->group(function () {
                Route::get('/user', 'UserController@index');
            });

            

Idempotency means that making the same API request multiple times has the same effect as making it once — no side effects beyond the first call.

Why Is Idempotency Important?

Prevents duplicate operations (like double-charging or multiple order creations).

HTTP Methods and Idempotency

HTTP Method	Idempotent?	Description
GET	✅ Yes	Reads data; doesn't change anything.
PUT	✅ Yes	Replaces resource entirely; repeated requests = same result.
DELETE	✅ Yes	Deletes resource; repeated deletes = no additional change.
POST	❌ No	Creates new resource; multiple calls = multiple resources.
PATCH	⚠️ Depends	Partial updates; not always idempotent unless carefully designed.

Example of Non-Idempotent Operation (POST)

First call: creates order #1

Second call: creates another order #2 — different result

Enforcing Idempotency in POST (Using Idempotency-Key)

Some systems (e.g., payment APIs) use an Idempotency-Key header to simulate idempotency:

              POST /payments
            Headers:
              Idempotency-Key: abc123xyz

            

Server checks if this key was already used.

If yes: returns the same result as before.

If no: processes normally and stores the key+response.

JWT stands for JSON Web Token

it is used to securely transmit data between two parties (applications), commonly used for authentication and authorization in web apps and APIs.

How JWT Works in Authentication

1. User logs in with username & password.

2. Server verifies credentials, creates a JWT, and sends it to the client.

3. Client stores the token (usually in localStorage or cookies).

4. For every API request, the client includes the JWT in the Authorization header:

5. The server verifies the token's signature and claims.

6. If valid, the server processes the request.

Benefits of JWT

Stateless: No session state is stored on server

Risks and Considerations

Don't store sensitive data in the payload (it's base64-encoded, not encrypted).

Use short expiry times (exp) and refresh tokens.

Libraries for JWT

in Laravel: tymon/jwt-auth

Both are methods of user authentication,

Session-Based Auth : Stateful – server stores session state of client

Token-Based Auth (e.g. JWT) : Stateless – no server storage the session state

Session-Based Flow:

1. User logs in using username and password

2. Server authenticates user

3. Server creates session and stores it (e.g., in DB)

4. Server sends session ID to client (via a cookie)

5. On every request, client sends cookie with session ID

6. Server looks up session and authenticates the request

Token-Based Flow (e.g., JWT):

1. User logs in using username and password

2. Server authenticates user

3. Server generates JWT and sends it to client

4. Client stores token (e.g., localStorage, cookie)

5. On every request, client sends token via Authorization header:

6. Server verifies token and authorizes the request

Clients send files using Content-Type: multipart/form-data in the request header

API Keys

You need to identify the calling application, not the user

You want basic rate limiting & logging

Less secure

Tokens

You need user-based authentication

More secure