Flow of an API

@jaseofspades88 I mean how does Amazon get the data to my browser? I am guessing they must be using an API themselves to get products while a user shops. Is Amazon.com an API and a regular website or a middle connection.

My browser -> amazon.com -> they get products from their API -> send products list back to my browser

Do they get the data first on their website then send it or does it come to my browser directly from an API. This is the part I don't understand. Also I have seen on the forum where everyone seems to ask about the friendly URL's but on Amazon I see URL's like - "https://www.amazon.com/Beauty-Makeup-Skin-Hair-Products/b/?ie=UTF8&node=3760911&ref_=nav_cs_beauty" Is the part that has "node=3760911" a token?

@dpelto I don't believe that's a token, They probably use a header. I am not sure how amazon works, but it's late here now. Tomorrow I will try to find out more how it works.

Just a guess here, but as @jaseofspades88 said they are probably generating a token. I know many API's will use local storage instead of cookies for this back and forth communication.

There are so many ways an api works however.

@dpelto Amazon is just a website. You log in. You get a session. Amazon then sends you generated HTML pages with data fetched from a database.

Not everything is an API.

@dpelto I did not realize amazon did not use an api.

But the general flow and note I don't have experience with shops but a Humane Society some years ago. And since then another board and president took over and I no longer volunteer there.

So my example is from what I know.

If you go to the San Antonio Humane Society they use Petango API.

When you click adopt then adoptable-pets then dogs, the data is pulled in probably in an iframe or an object tag from Petango.

So you, the end user has nothing to do or worry about dealing with the api. The programmer at the Humane Society did that.

Each api will have instructions on it's usage, usually with examples. But you are correct, there are sites that sit between your browser and an api, but in such cases they are using the api to get data, not you.

I used adopt a pet, but again it's been quite a few years ago. and i used iframes to display the data. And each shelter would have a unique shelter id assigned.

Edit

I am guessing that an online shop that gets it's products from an api would be similar. It's them that deals with the tokens, not the end user.

@jlrdw so if I understand your answer and the answer from @jaseofspades88 if I login to a web site or an API that have an email and a password then if it's an API they take care of the token I mean they handle everything in the background for me. And if it's a website that also uses an API to get data I don't worry about that neither. I would only need a token if I was the one getting API data on my website. Both answers helped and I don't know who to show solved it.

@dpelto to add, if you are planning to write your own api, look at the chapter on api resources:

https://laravel.com/docs/10.x/eloquent-resources#main-content

And besides the videos on laracasts (they are good) and just FYI, there are also some on youtube that covers Sanctum and Passport. But if using youtube, just be aware of who you are learning from, make sure they have a good reputation.

@jlrdw thanks for the information. At this time I am not planning an API. I was just curious about the tokens.

@jlrdw Is there a best practice and perhaps a more secure practise between using cookies and using the local storage ?

@vincent15000 It's been a while for me. I have actually been refreshing my knowledge by watching some decent videos on api security. Oauth 2 seems to be real good. But I am still not sure about cookie verses local storage.

One thing I caught on to is it seems more secure sending a token in a header and not a query string.

Also one instructor stored the current ip and made sure internet traffic didn't change during that users visit.

It seems there are so many ways people do an api. Some have a key and a secret whereas some just the key. But I am going to view some of those again to get more up to date.

There is also one series of videos on nodejs and express js, I watched maybe 5 so far, and it actually reminded me of how I programmed in java ee, well kind of.

The next time I am on the series I will edit this and put the link on the node js course if you want it.

@jlrdw Thanks for your answer. Yes I agree with you, there are several ways to secure an API. Perhaps there isn't any answer to my question.

Ok for the link ;).

@vincent15000 one is https://www.youtube.com/watch?v=k_0ZzvHbNBQ&list=PLillGF-RfqbYRpji8t4SxUkMxfowG4Kqp I noticed it's a little older, but seems to be a fairly good introduction to some basics.

If you find you you like better please share.

I was also looking at another, sorry did not save link.

Edit:

Found it https://www.youtube.com/watch?v=zb3Qk8SG5Ms&list=PL4cUxeGkcC9jsz4LDYc6kv3ymONOKxwBU

@Snapey Agreed, there seems to be hundreds of different techniques people use.