API Request: What Is It and How Does It Work?

The modern application programming interface (API) is a specialized piece of software built according to a set of rules that creates a connection between software applications and data sources. Based on open standards, APIs are relatively simple to set up and modify. They are an essential element of cloud computing and storage solutions because they enable the exchange of data and operational instructions from one system to another nearly universally.

Cloud computing and cloud storage as we know them today would arguably not exist without APIs. This article discusses the API request, or API call, a type of message that requests or sends data or operational instructions from a requesting application and the API.

The evolution of the modern, standards-based API

To understand an API request and how it works, first, we must understand how this software construct came to exist. For one thing, the term “API” has shifted over the last decade, and it's worth briefly explaining what happened.

When we talk about APIs today, we almost always mean APIs built using the representational state transfer (REST) standard and communicating using the JavaScript Object Notation (JSON) over HTTP. However, an API can be many other things. There are proprietary APIs that connect printers to operating systems, to name one of hundreds of examples.

The modern, standards-based API came into existence over the last twenty years or so based on a desire for simple, economical, and universal connectivity between software applications. Previously, application integration required cumbersome and expensive proprietary connectors or custom-coded solutions.

The first step in this revolution was the development of the “service-oriented architecture” (SOA) standards in the 1990s, such as the Simple Object Access Protocol (SOAP). This was the open standards-based connectivity technology behind Microsoft .NET and other simple, inexpensive approaches to interoperation. A series of innovations and standardizations took SOA further, leading the industry to today’s REST/JSON APIs, which are the de facto standard.

What is an API request?

An application program interface (API) is the technology layer that allows two applications to talk to each other. In the world of cloud object storage, the S3 API is the de facto standard, providing a common language for applications to talk to any S3 API-based object storage platform.

An API request is a message, typically written using JSON and transmitted over HTTP, that asks an API to perform a service. It originates from a system that needs the service. For example, if a sales operations solution generates a sales contract in PDF format, it could use an API request to “put” the PDF onto a cloud storage volume using the PUT HTTP method. The storage solution's API receives the API request and follows the instructions to store the PDF.

API requests are essential for cloud storage because they allow virtually any application to interoperate with the cloud storage platform without requiring a proprietary or custom-coded connection. As long as the API request is written using agreed-upon rules and standards, it will work with the API.

The anatomy of an API request

What’s in an API request? Each contains a set of standard elements, including:

• The API endpoint URL: Each API has a web address in the form of a URL.

• HTTP method: Defines the purpose of the request, for example, GET for retrieving data, PUT for replacing data into a database, POST, DELETE, and so forth.

• Headers: These provide metadata about the API request, for example, authentication and content type.

• Body (if applicable): The body contains data for POST or PUT requests.

• Query parameters: These are optional, but they can refine requests in if/then mode.

• API passwords or keys: APIs often only respond to requests that contain the correct key, for security purposes.

Here's an example of an actual API request, taken from DreamFactory.com. It is a request to GET data from a database table called “contact info.” It uses an API key to get access to the API.

How API requests function 

While the formatting and details of API requests vary, their basic function remains the same. Each request contains an HTTP method that figures into the request-response cycle. 

The role of HTTP methods in API requests 

The API request contains a tag for its HTTP method, for example, "method": "GET". Here's a brief overview of the HTTP methods used in API requests: 

• GET — Retrieves data, for example, to get a mailing address for a customer relationship management (CRM) solution

• POST — Sends data to a destination to be processed, e.g., adding a new customer record to the CRM solution. POST is often used as the method for uploading a file to a system or submitting a form

• PUT — Replaces target request with a data “payload” contained in the API request, for example, substituting a new version of a contract in PDF form for the existing file that’s already in storage

• PATCH — Partially modifies an existing resource, for example, changing a customer's phone number in the CRM solution

• DELETE — Removes data

The use of a given HTTP method will depend on the purpose of the API request. Typically, an application that invokes an API will have several API requests programmed to handle scenarios where the application needs to GET, PUT, DELETE, and so forth, based on the business process it is realizing. 

Understanding the request and response cycle 

APIs work using a call-and-response interaction between an application that invokes the API through an API request to an API server. When the server receives an API request, it can respond in several ways, depending on the circumstances. If the API is functioning, the request obeys whatever rules have been established, and the requestor has permission to make the request, the API server will respond as instructed. 

The response body is a crucial part of an API request, as it contains the data or information that the client requested from the server. For example, if the API is not working, the requestor might get an error message like “500 Internal Server Error,” and so forth. These API responses may be in JSON format, extensible markup language (XML), or plain text. 

Types of API requests and their uses

Due to the use of synonyms in describing HTTP methods, it's possible to get confused about different types of API requests. Here is a quick rundown of when to use which type of HTTP method.

GET vs. POST requests

GET and POST are opposites. GET is about “getting” data from an API, while POST places data on a resource represented by an API. When exposing an API to GET requests, it's important to pay attention to security considerations. A malicious actor can GET sensitive data if the API is not properly configured for security.

For the strongest security, the best practice may simply be to switch off the API's ability to respond to GET requests altogether. Otherwise, good security practices include encrypting data sent via GET requests, subjecting GET requests to strict authentication and authorization controls, and throttling the number of GET requests the API will process from a given requestor.

PUT, PATCH, and DELETE: When to use them

PUT and PATCH are similar requests, but each has its own purpose. PATCH performs a partial update, while PUT adds totally new data or completely replaces data. DELETE erases data. All three requests create risk exposure. A malicious actor can exploit PUT and PATCH to change data and render it useless. DELETE can be abused to eliminate data maliciously. For these reasons, it is a good practice to restrict PUT, PATCH, and DELETE requests to users who are authorized to perform these actions.

This may require an API security solution integrated with an identity and access management (IAM) system. It's a challenging control to implement, however, because much of the time, the “user” is a machine, not a person.

REST API requests

REST is a software architecture designed for interoperation between internet-based applications. RESTful APIs involve the coupling between a user agent , for example, the “client,” and an origin server. REST treats data and application functionality as “resources,” leading it to be known as a resource-based standard. Based on open standards, REST is known for being lightweight, simple to use, and flexible. REST is stateless, so each REST request contains all the information it needs to achieve its purpose.

REST is predominant, having mostly replaced the older SOAP protocol. However, SOAP has uses and is considered better for security and versatility. SOAP can handle a broader range of process instructions, which makes it suitable for application integration amongst legacy systems, for example, connecting a UNIX-based system to a web frontend.

How costly are API requests?

Source: Wasabi Cloud Storage Index Report - Vanson Bourne, 2025

API requests often come with fees. With cloud storage, it’s common for cloud platform providers to charge a fee for accessing the API. It’s essential to understand how these charges factor into cloud storage pricing, because the fees can add up. The following primer helps you get a handle on API requests and the fees they incur.

1. Understanding API request fees

Sometimes, the cloud provider will charge a fee every time an application invokes the storage API. It might charge for common API operations like PUT, GET, LIST, COPY, and DELETE, among others. The fees are seemingly low, for example Amazon S3 Glacier Deep Archive charges $0.03 per GB for “expedited” GET (retrieval API requests). S3 Standard charges $0.01 per 1,000 API requests. Over time, and with volume across objects and files, these costs can escalate.

2. How API request fees accumulate

It may not seem like much to be paying a penny for a thousand API requests or three cents per GB you GET, but you might be surprised how quickly this accumulates. For instance, users and automated processes can trigger API requests, such as backup verification or data indexing. Without anyone doing anything, your application could run automated workflows that generate hundreds of thousands of API requests daily.

3. Real-world cost impact of API requests

Consider the following scenario. You have a 100 TB backup stored in AWS S3 Standard. If you have 10 files per GB, that’s 1,024,000 files being backed up. With four backups a day, that’s 4,096,000 PUT API requests daily. Even at $0.01 per 1,000 PUTs, you will be spending $14,746 per year on PUT API fees.

LIST requests for verification can add more hidden fees. Multipart uploads for large files multiply PUT costs significantly. Combine that with GETting multiple terabytes of data from cold storage, and you could be looking at significant unexpected costs.

4. Hidden fees beyond storage 

API request fees can also appear in other areas. For example, a cloud provider may charge lifecycle management fees with API access costs for moving objects between storage tiers. Similarly, you might see backup verification fees, for example, the periodic LIST and HEAD API requests required for backup validation. Or, if an application wants to check metadata like an object's timestamp, that, too, can be subject to API fees. 

5. Choosing the right cloud storage provider 

API requests should be a factor when you select a cloud storage provider. Total cost of ownership (TCO) matters in analyzing which service will be right for you. Keep in mind that storage fees alone don't reflect the true cost. API requests can increase expenses in unpredictable ways. A bill that goes up and down over time can cause problems with budgets and purchase orders.

6. Predictable pricing advantage with Wasabi

Wasabi approaches cloud pricing with a flat rate charge and no fees for API requests like PUT, GET, LIST, or COPY operations. With Wasabi Hot Cloud Storage, costs are predictable, regardless of data activity. Wasabi service does not include hidden charges for backup verification or lifecycle policies.