APIs: The Restaurant Analogy

Base URL is the street address. Endpoint is the menu item. Parameters are your order. Paste it in Chrome and see.

The Restaurant — What an API Actually Is

You walk into a restaurant. You don't go into the kitchen and start cooking. You look at a menu, tell the waiter what you want, and the kitchen sends it out. That's an API.

API stands for Application Programming Interface. It's not a thing you install or a piece of software you can see. It's a contract between two systems: one asks, the other answers. The menu defines what you can ask for. The waiter carries the request. The kitchen does the work.

Every time two systems need to talk to each other — your phone checking the weather, a CRM syncing contacts, a dashboard pulling sales data — they're using an API. One system says "give me this data" or "do this thing," and the other system responds.

Key insight

An API is not a product or a tool. It's a way of communicating. When someone says "we use the CRM's API," they mean "we talk to the CRM using the rules it defined for how to talk to it."

Requests and Responses — The Only Pattern

Every API interaction follows the same pattern: request and response.

You send a request (ordering food). You get a response (the food arrives, or the waiter says "we're out of that"). Every single thing that happens on the web is a request followed by a response.

When you open a website, your browser sends a request to a server ("give me this page"). The server sends back a response (the HTML, CSS, and JavaScript that make up the page). When a dashboard loads data, it sends a request to an API ("give me this data"). The API sends back a response (the data as JSON).

There is no third step. No "request, response, and then the magic happens." It's always: ask, answer.

URLs as Addresses — Where to Send the Request

Every API request needs an address — where should this request go? That address is a URL, and it works exactly like a restaurant address.

Let's break down the restaurant analogy one more level:

  • Base URL = the street address of the restaurant (https://api.open-meteo.com)
  • Endpoint = the specific item on the menu (/v1/forecast)
  • Parameters = the details of your order (?latitude=40.71&longitude=-74.01&current_weather=true)

Put them together:

https://api.open-meteo.com/v1/forecast?latitude=40.71&longitude=-74.01&current_weather=true

That full URL says: "Go to Open-Meteo's API server, ask the forecast endpoint, and I want current weather for New York City."

Key insight

A common confusion: people think the whole URL is the endpoint. It's not. The endpoint is just the path part — /v1/forecast. The base URL is the server address, and the parameters are the details. The endpoint is the menu item. The parameters are how you customize your order. The base URL is where the restaurant is located.

Anatomy of an API URL

Example:
https://api.open-meteo.com/v1/forecast?latitude=40.71&longitude=-74.01&current_weather=true
Street Address(Base URL)
Menu Item(Endpoint)
Your Order(Parameters)
Hover over a segment to see what it does.

Try It Right Now — APIs in Your Browser

Here's the aha moment. Copy this URL and paste it into Chrome's address bar:

https://api.open-meteo.com/v1/forecast?latitude=40.71&longitude=-74.01&current_weather=true

You'll see something like this — clean, readable data:

{
  "current_weather": {
    "temperature": 18.2,
    "windspeed": 12.5,
    "weathercode": 1,
    "time": "2025-06-15T14:00"
  }
}

That's JSON — the universal format APIs use to send data. It's just labels and values. You could be a baby and read this. Temperature is 18.2. Wind speed is 12.5. Done.

Now try something else: go to any website — say, a news site — and right-click, then click "View Page Source." You'll see a wall of incomprehensible HTML tags, CSS, and JavaScript. Thousands of lines of markup that mean nothing to a human eye.

That's the difference. Websites are built for browsers to render. APIs are built for programs to read. And it turns out, data built for programs to read is way easier for humans to read too.

Try it — simulated API explorer
GET/api/users
Pick an endpoint and click Send to see the response.

JSON vs. HTML: Same Data, Different Formats

API Response (JSON)
{
  "current_weather": {
    "temperature": 18.2,
    "humidity": 64,
    "wind_speed": 12.5,
    "wind_direction": "NW",
    "condition": "Partly cloudy",
    "time": "2025-06-15T14: 00"
  }
}
Website Source (HTML)
<!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Weather - Current Conditions</title> <link rel="stylesheet" href="/assets/css/main. min.css?v=8f2a3b"><link rel="stylesheet" href ="/assets/css/weather-widget.css"><script src= "/assets/js/vendor/jquery-3.7.1.min.js"></scri pt><script src="/assets/js/analytics.bundle.js " defer></script><script>window.__INITIAL_STAT E__={"config":{"apiKey":"pk_live_928f","region ":"us-east-1"}}</script></head><body class="pg -weather theme-default has-sidebar"><div id="r oot"><div class="app-shell"><header class="nav bar navbar--fixed"><div class="container"><a h ref="/" class="logo"><img src="/img/logo-2x.pn g" alt="" width="120"></a><nav class="nav-main " role="navigation"><ul class="nav-list"><li c lass="nav-item active"><a href="/weather">Weat her</a></li></ul></nav></div></header><main cl ass="content-wrapper"><div class="weather-hero "><div class="container"><div class="row"><div class="col-md-8"><div class="card card--weath er"><div class="card__header"><h1 class="card_ _title">Current Conditions</h1></div><div clas s="card__body"><span class="temp">18.2</span>< span class="unit">&deg;C</span>

You could be a baby and read the left side. The right side is what your browser downloads when you visit a weather website -- thousands of lines of markup to show the same six data points.

HTTP Methods — The Four Verbs

Remember CRUD from Lesson 2? APIs use CRUD too, just with different names. These are called HTTP methods:

MethodCRUD OperationWhat It DoesExample
GETReadRetrieve dataGet a list of contacts
POSTCreateMake something newCreate a new deal
PUTUpdateChange something existingUpdate a contact's email
DELETEDeleteRemove somethingDelete a note

When you type a URL into your browser and hit enter, that's a GET request. When you submit a form, that's usually a POST. The method tells the server what kind of operation you're asking for.

Status Codes — Did It Work?

After you send a request, the server sends back a status code — a three-digit number that tells you what happened. The simple version:

200 means good. 404 means bad.

Now the full picture:

  • 200 OK — Everything worked. Here's what you asked for.
  • 201 Created — Done. I made the new thing you asked me to make.
  • 400 Bad Request — I don't understand what you're asking for. Your request is malformed.
  • 401 Unauthorized — You didn't prove who you are. Show me your credentials.
  • 403 Forbidden — I know who you are, but you're not allowed to do this.
  • 404 Not Found — That thing doesn't exist. You asked for user 99999 and there is no user 99999.
  • 500 Internal Server Error — Something broke on my end. It's not your fault.

The first digit tells you the category: 2xx means success, 4xx means you messed up, 5xx means the server messed up.

Real-world example

When you see a "404 page" on a website, that's literally the server returning status code 404 — "I don't have anything at this URL." The website just renders a nice error page instead of showing you the raw number.

Authentication — API Keys as VIP Passes

Some APIs are free and open — like the Open-Meteo weather API you just tried. No sign-up, no key, just paste a URL and get data. Those are keyless APIs — great for getting started.

But most APIs don't let just anyone make requests. You need to prove who you are. The most common way is an API key — a long string of random characters like sk_live_a1b2c3d4e5f6 that you include with every request.

Here's the critical thing about API keys: they are unauthenticated bearer tokens. That means whoever has the key can use it. There's no username, no password, no second factor. If someone gets your key, they can make requests as you. It's like a physical key to a building — whoever holds it walks in.

This is why API keys must be kept secret. You never put them directly in your code.

.env Files and .gitignore — Keeping Secrets Safe

So where do API keys go? In an environment file — a file called .env that sits in your project but is never shared.

# .env — this file stays on YOUR machine only
WEATHER_API_KEY=sk_live_a1b2c3d4e5f6
CRM_API_KEY=pat_xyz789abc123

Your code reads from this file at runtime, but the file itself is listed in .gitignore — a file that tells Git "never track these files, never commit them, never push them to GitHub." This way the keys stay on the developer's machine and never end up in the repository where anyone could see them.

Key insight

One of the most common security mistakes in software is accidentally committing API keys to a public GitHub repo. Automated bots scan GitHub constantly looking for exposed keys. The moment a key is pushed publicly, it's compromised. The .env + .gitignore pattern exists specifically to prevent this.

Rate Limiting — Don't Order Too Fast

APIs don't let you make unlimited requests. Most enforce rate limits — a cap on how many requests you can make in a given time window.

A free API might allow 100 requests per hour. A paid tier might allow 10,000. If you exceed the limit, the API returns a 429 Too Many Requests status code and temporarily blocks you.

This exists because every request costs the API provider money — server time, bandwidth, processing power. Rate limits prevent any single user from overwhelming the system.

Real-world example

If your app makes 50 API calls every time someone loads a page, and 20 people load the page at once, that's 1,000 requests in seconds. Rate limiting is why developers cache API responses and batch requests — to avoid hitting the ceiling.

The Progression — Free to Paid, Simple to Complex

When you're learning APIs, the progression looks like this:

  1. Free, keyless APIs — like Open-Meteo. Paste a URL, get data. No sign-up required. Start here.
  2. Free APIs with a key — sign up for a free account, get an API key, include it in your requests. Same pattern, one extra step.
  3. Paid APIs with keys and rate limits — production-grade APIs where you pay per request or per month. More data, higher limits, better reliability.
  4. OAuth-based APIs — complex authentication where you log in through a browser flow and get temporary tokens. Used by services like Google, Microsoft, and most social platforms.

Each step adds a layer, but the core pattern never changes: send a request to a URL, get a response back.

Real Examples — APIs in Practice

APIs aren't theoretical. Most internal tools are built on API calls:

An analytics dashboard calls a reporting API to get live data. It sends a GET request with a query, and the API responds with results as JSON. The dashboard then renders that data as charts.

An email automation tool calls two APIs: a CRM API to read deal and contact data, and an email API to read and send messages. It pulls context from one system, processes it, and pushes results to another.

A daily briefing service calls a calendar API to pull upcoming meetings and a task management API to pull recent activity, then uses an AI API to process that data into a summary. Multiple APIs, chained together, each one a simple request-response.

Key insight

Most real software isn't one API call — it's a chain of them. Read from this API, process the data, write to that API. Each link in the chain is still just a request and a response.

Further Reading

Learn more

Concepts from this lesson:

Try it yourself:

  • Open-Meteo API — Free weather API, no key required. The one we used above.
  • Public APIs List — A curated list of hundreds of free APIs to experiment with