Definition

What is a restricted API?

A restricted API is an application program interface whose access, or use, is intentionally limited by web site developers for security purposes or business reasons. APIs are restricted by API keys, which are unique codes passed between a project on one end and the web site's APIs on the other.

API keys identify the calling program, that is, the software that is making contact with the API, the developer or the project. API keys can be used to track how an API is being used, how often it is being accessed, and by whom. Web site developers can restrict APIs by issuing keys to only trusted partners and by linking specific keys to specific APIs.

Benefits

Restricting APIs through the use of API keys allows the receiving Web site to identify the application or project. They can also limit what types of devices are being used to access the website or restrict IP addresses and the volume of calls made to an API. They can be used to verify the identity of the caller and to check whether the caller should be able to access the destination site.

Limitations

API keys are considered less secure than authentication tokens. They can identify a project that is calling on an API, but they cannot identify an individual user. API keys can be stolen.

Examples

In 2014, Netflix retired its public API in favor of a restricted model that granted access only to trusted developers. Netflix cited its changing business model as the reason.

In May 2015, LinkedIn began limiting access to some of its APIs. Non-partner developers were limited to accessing LinkedIn's Profile, Share and Companies APIs. Other APIs, including Connections and Groups became available only to select development partners.

In July 2018, Google MAPs began restricting access to some of its APIs and introduced a pay-as-you-go API pricing model, based on the volume of calls made on an API.

In July 2018, Facebook began restricting APIs for its Graph API Explorer App. The app includes a Profile Expression Kit, used by approved developers to allow users to share photos and videos created in their app as profile pictures and videos on Facebook. Media Solutions is also included, which are APIs that enable developers to build tools for Facebook's media partners. Also, there is Marketing API, which helps businesses automate and scale their advertising on Facebook; this includes the creation of ads and the management of campaigns. Facebook also introduced a new app-review permissions process for its Lead Ads Retrieval and Live video APIs.

This was last updated in August 2019

Continue Reading About What is a restricted API?

Dig Deeper on API design and management