# Getting started with API

An API is a connection between computers or between computer programs. It is a type of software interface, offering a service to other pieces of software.

Before moving into FastAPI, let's explore the basic concept. API stands for:
- A – Application
- P – Programming
- I – Interface

The lesson intentionally starts with the last letter: Interface, because it is the most important concept.

If you understand what an interface is, the rest of API becomes much easier to understand.

# Interface

An interface is a way to interact with something without knowing how it works internally.

An interface:
- Exposes controls you are allowed to use
- Hides implementation details
- Lets you change behavior safely and predictably

This idea is called **abstraction**.

For example, a Radio have a lot of buttons included: Power, Volume, Station, etc. With basic understanding, you can turn it on or off, set it louder or change the channel. But outside of what it provide, we don't know how it process the signal, how every part connect together and how it can turning that signal into sound

Basically, the interface gives you control without complexity.

As technology evolved, physical interfaces inspired software interfaces.

This leads to the concept of a **GUI - Graphical Unit Interface**: Like a music stream app with common element like a radio

Ok so let shift perspective a bit, So far we understand that **UI** built for end users and **API** built for developer.

To imagine, a developer creating a mobile app will have to defines what happens when the button clicked (Logic handling) BUT NOT implement button play, handling how users touch the screen, sound, etc. Those thing except of the logic called **Interface**

A single action (most of the application nowadays) can be triggered by multiple API and they stack layers of layers to fully operating a software

# Defining API

An API (Application Programming Interface) can be thought of as a contract.

It clearly defines:
- How it is expected to be used
- What you can expect to receive when you use it correctly

In simple terms, an API is a set of tools provided for developers.

APIs exist to make a developer’s life easier.

They:
- Give you access to data
- Provide an abstraction over complex implementations
- Save you from building everything from scratch

When designed well, APIs allow you to do things that would otherwise be extremely difficult — sometimes with just a few lines of code. This is why APIs are so important in modern software development.

Today, when people say API, they are usually referring to web-based APIs. But in real application, they can be:
- **Programming Languages**: Every programming language provides APIs, a common example is a String API (Convert to lower / upper case). All this type exists because it's a common problem developers face
- **Cross-Platform Compatibility**: Programming language not only running on one type of OS, it can be multiple (Win, Mac, Linux, etc.) and each of those needed to specify a unique way to exchange information between high - low level
- **Web Browsers and Web APIs**: Same question as OS, a lot of browser, each have different feature and display but still work fine when accessing into a same page? Simple, they all shared set of Web APIs, when access to a server web, it will make a small "contract" and trading information. This "contract" stay the same at a foundation protocol
- **Libraries and Framework APIs**: This work in a same way as other, they provide some endpoint which we can use to complete a specific task without too much technical

As we discussed so far, API can be both external or local provided. It's help us to do everything without reinventing the wheel

# Remote APIs

Often, we simply don’t have enough space or data locally. Like Spotify, where it stored a massive music database, what it does is using a remate APIs each time we find or listen to something:
- Searches a massive database
- Performs complex analysis
- Returns the list of songs

You don’t store the data. You don’t run the algorithm.

Remote systems can:
- Use massive CPUs and GPUs
- Run complex AI models
- Process data far beyond local device capabilities
- etc.

The idea of remote APIs existed long before they worked well. At Early Stage, APIs cannot be shared, they don't have any standard or common flow which made this very hard to used.

But then **REST - Representation State Transfer**, a new breakthrough provide:
- Clear rulese
- Consistent interaction
- Resource-based access over the web

REST always come with APIs, it's not the only approach but became dominant. Even though more and more algorithms evolve, REST remain as a foundation model

# How the Web Work

Now let’s zoom in and see what actually happens when you “use the web”.

- Your **browser** is a **web client**.
- The website you want to access runs on a **server**.
- Your client sends a request to the server, the server sends a response back.

When you type something into the address bar, you are entering a location.

- **URL** = *Universal Resource Locator* (a specific type of identifier that tells you where and how).
- **URI** = *Universal Resource Identifier* (a broader term; URL is a subset).

A URL usually includes a **scheme**, like `http` or `https`. That scheme tells the client which rules to use for communication.

Your browser uses **HTTP** — **H**yper**t**ext **T**ransfer **P**rotocol.

***A URLs/Endpoints included: Domain + Path/Endpoint/Query Params***

Let’s break the last word down: **protocol**.

A **protocol** is like a contract: it defines the expectations for how messages are exchanged.

When you visit a page:

1. The client (browser) creates an **HTTP request**.
2. The request is sent to the server (that’s the “Transfer” part).
3. The server receives it, does the work it needs to do.
4. The server sends back an **HTTP response**.

For a normal webpage, the most important part of the response is the **body**.
- The body often contains **HTML** (*HyperText Markup Language*).
- **Hypertext** means text that can link to other texts.
- In HTML, links are typically created with **anchor tags** (`<a ...>`).

When you click a link, you usually trigger a brand new request, and the cycle repeats.

HTTP was originally designed to be **stateless**:
- After a request gets a response, that interaction is done.
- If you want “memory” (state), the **client** has to keep it and send what’s needed with each new request.

This is why things like sessions, tokens, and cookies exist: they help the client and server keep continuity across many separate requests.

An HTTP request also includes a **method** (also called a verb). Common ones:

- **GET**: retrieve data (should not change server state).
- **POST**: send data to the server (commonly used for forms / submissions).

There are more methods, but GET and POST are enough to understand the basic web flow.

Requests and responses carry more than just “a URL and some HTML”. They include extra details such as:
1. Query string parameters: You’ve seen these in URLs — the stuff after `?` (and separated by `&`). This is one way to pass information *as part of the URL*.
2. Headers: Another common mechanism is **headers**: key/value pairs sent with both requests and responses.

Caching is powerful: why download the whole page again if you already have a valid copy locally?

> In short: query strings are “in the URL”, headers are “metadata beside the body”.

3. Status codes: Responses include **status codes** to tell you the outcome included 2xx, 3xx, 4xx and 5xx is the most common results we get

# RESTful API Constrain

Let’s take a look at how the RESTful approach takes advantage of the web and its tooling for your benefit, profit.

REST stands for **Representation State Transfer**.
APIs that meet the REST architectural style constraints are considered **RESTful**.

Here are the guiding architectural constraints required for an API to be considered RESTful:

- Client–Server
- Stateless
- Layered System
- Cacheable
- Uniform Interface
- Code on Demand

Much like the web, the client makes a request to a server.

- The **client** is typically your program (not a browser).
- You’ll probably use a library to create and send HTTP requests.
- The protocol used **HTTP**.

And HTTP is stateless. If you want to maintain state (like login details), you must send it with **each** request — usually using **headers**.

Now we should talk about what that request was requesting. In REST, the request is typically asking for information about a **resource** (R in URL / URI). A resource is intentionally a little abstract. We use the term resource to reference an object — and that object can represent just about anything we build. Think in resources and collections.

Most of what we want to do to resources can be expressed through the unfortunate sounding acronym **CRUD**:
- **C**reate
- **R**ead
- **U**pdate
- **D**elete

As a user browsing a website, you mostly do “read” operations. You retrieve pages. Your browser sends a **GET** request to a URI, then the server responds. REST APIs follow the same logic, but instead of returning HTML for a page, they usually return **data**.

These days, the response body is commonly represented as **JSON** (*JavaScript Object Notation*). JSON is a great format for structured and nested data, and pretty much every programming language can convert JSON strings into native objects.

If you recall, HTTP gives us multiple verbs, and REST uses those verbs to clearly state the intention of your request:
- Want to retrieve an author? `GET /authors/{id}`
- Want to add an author? `POST /authors` (and include the new author data in the request body)
- Want to remove an author? `DELETE /authors/{id}`
- Want to update an author? often `PATCH /authors/{id}`

If an application exposes a REST API, you can interact with it programmatically:
- Grab data
- Remotely automate tasks
- Smoosh together different services

And here’s the thing: there are a ton of APIs available for just about anything you can imagine — and if they’re truly RESTful, they’ll all feel pretty similar.

# Explore API with Spotify

Up to now, we’ve talked about the web in the abstract.
Now it’s time to get a little more specific and see what “using an API” looks like in the real world.

##### Step 1: Find the developer portal

Go to a site (any site), scroll around, and look for the nerdy stuff.
A lot of companies hide it at the bottom of the page with links like:
- `Developers`
- `Docs`
- `API`
- `Developer Portal`

On Spotify, you’ll end up at **Spotify for Developers** — and it feels really nice when a company takes care of developers with good documentation.

##### Step 2: Choose the Web API (REST over HTTP)

In the developer portal you’ll usually see multiple options:
- SDKs for iOS / Android
- Client libraries
- And the one we care about right now: **Web API**

Spotify’s Web API is based on REST principles and returns **JSON** about:
- Artists
- Albums
- Tracks
- Playlists
- And more

You’ll also see a base URL like `api.spotify.com`, and then a set of **endpoints** (paths) that target different resources.

##### Step 3: Notice the REST patterns

As you read the docs, you’ll keep seeing the same patterns we discussed:
- `GET` retrieves resources
- `POST` creates resources
- `PUT`/`PATCH` updates resources
- `DELETE` removes resources

Spotify also uses a resource identifier style (for example: a **track** has a Spotify ID).
Once you have an ID, you can use it in other endpoints to fetch related resources.

##### Step 4: Authorization exists (but we won’t go deep yet)

Some endpoints require **authorization** because you shouldn’t be able to modify anyone’s data. Example: you shouldn’t be able to add songs to someone else’s playlist.

So Spotify supports authorization (OAuth). For our first exploration, we’ll focus on safe read-only operations like search and browsing publicish data.

##### Step 5: Use the API Console to explore

A really friendly thing some API providers offer is an interactive **console**.
Spotify has one, and it lets you:
- Pick an endpoint (like Search)
- Fill in parameters (like query and type)
- Generate a request (often showing a `curl` example)
- Click “Try it” and see the JSON response

##### Step 6: Get a token (and don’t leak it)

To try requests, you’ll often need an OAuth token.
The console can help you create one (you may need to log in or create an account).

Important:
- Treat tokens like passwords.
- Don’t paste them into public places.
- If you accidentally expose one, rotate/revoke it.

Once the token is set, click “Try it”.
You should get back a JSON response that includes a list of matching artists, including fields like:
- Name
- Followers
- Genres
- External URLs
- The artist’s Spotify ID

##### Step 7: Follow the resource graph (IDs unlock more endpoints)

Now that you have an **artist ID**, you can switch endpoints.
For example, you can request the artist’s albums with a path like:
- `GET /artists/{id}/albums`

That response is also JSON and typically includes:
- Album names
- Release info
- Markets/availability
- Images (cover art URLs)

If you open one of the image URLs, you’ll see it’s just another resource you can fetch.

# FastAPI

FastAPI is an ASGI-based API framework that converts HTTP requests into validated Python function calls, and converts Python return values into HTTP responses.

FastAPI is an interface layer between:
- The outside world (HTTP clients)
- Your internal application code

FastAPI itself does not care what your application does. It only ensures that data entering and leaving the system is correct, structured, and efficient.

FastAPI mostly used for returning something we want in a structured way, there's various method being used most of the time included:

### GET (Read)

> **Goal:** retrieve data without changing server state ("safe").

**What it does in HTTP**
- A `GET` request asks the server to **return a representation** of a resource.
- It should **not** create/update/delete data (in REST terms).
- It’s commonly **cacheable** (clients/proxies may store responses).
- It’s **idempotent**: calling it many times should give the same result (assuming data didn’t change).

**What it looks like in FastAPI**
- Use `@app.get(...)` to map an HTTP `GET` to a Python function.
- Parameters can come from:
  - **Path params**: `/items/{item_id}`
  - **Query params**: `/items?limit=10&offset=0`
- FastAPI validates and converts types (e.g. `int`, `float`, `bool`).

**Short example**
```python
from fastapi import FastAPI, Query

app = FastAPI()

@app.get("/items/{item_id}")
def read_item(
    item_id: int,
    q: str | None = None,
    limit: int = Query(10, ge=1, le=100),
):
    return {"item_id": item_id, "q": q, "limit": limit}
```

**Typical response codes**
- `200 OK`: resource returned
- `404 Not Found`: resource doesn’t exist
- `422 Unprocessable Entity`: validation failed (e.g. `item_id` not an int)

### PUT (Replace / Update)

> **Goal:** update a resource by sending the **full new representation** (or a full set of fields you consider required).

**What it does in HTTP**
- `PUT` is typically used to **replace** a resource at a known URI.
- It is usually **idempotent**: repeating the same `PUT` should lead to the same stored state.
- A common REST pattern: `PUT /items/{id}` replaces item `{id}`.

**What it looks like in FastAPI**
- Use `@app.put(...)` and a Pydantic model for request body validation.
- FastAPI reads JSON from the request body into the model.

**Short example**
```python
from fastapi import FastAPI
from pydantic import BaseModel

app = FastAPI()

class Item(BaseModel):
    name: str
    price: float
    in_stock: bool = True

@app.put("/items/{item_id}")
def replace_item(item_id: int, item: Item):
    # Replace the stored representation for item_id with `item`
    return {"item_id": item_id, "stored": item}
```

**Typical response codes**
- `200 OK`: updated and returning the updated resource
- `204 No Content`: updated successfully, no body returned
- `404 Not Found`: resource to replace doesn’t exist (depends on your rules)

### POST (Create / Action)

> **Goal:** submit data to the server to **create a new resource** (or trigger a server-side operation).

**What it does in HTTP**
- `POST` sends data to the server; the server decides what happens.
- It’s **not idempotent** by default: repeating the same request might create duplicates.
- Common REST pattern: `POST /items` creates a new item inside the collection.

**What it looks like in FastAPI**
- Use `@app.post(...)` with a Pydantic model body.
- Optionally set a creation status code like `201 Created`.

**Short example**
```python
from fastapi import FastAPI, status
from pydantic import BaseModel

app = FastAPI()

class ItemCreate(BaseModel):
    name: str
    price: float

@app.post("/items", status_code=status.HTTP_201_CREATED)
def create_item(payload: ItemCreate):
    # Pretend we inserted into DB and got new_id=123
    return {"id": 123, **payload.model_dump()}
```

**Typical response codes**
- `201 Created`: created successfully (often with the new resource or its URL)
- `400 Bad Request`: malformed input (custom)
- `422 Unprocessable Entity`: validation failed (FastAPI default)

### DELETE (Remove)

> **Goal:** delete a resource (or mark it deleted).

**What it does in HTTP**
- `DELETE` asks the server to remove the resource identified by the URI.
- It is typically **idempotent**: deleting the same thing twice should not keep changing state after the first delete.
- APIs sometimes implement “soft delete” (marking deleted) while still using `DELETE` externally.

**What it looks like in FastAPI**
- Use `@app.delete(...)`.
- Many APIs return `204 No Content` to indicate success with an empty body.

**Short example**
```python
from fastapi import FastAPI, Response, status

app = FastAPI()

@app.delete("/items/{item_id}", status_code=status.HTTP_204_NO_CONTENT)
def delete_item(item_id: int):
    # Pretend we deleted from DB
    return Response(status_code=status.HTTP_204_NO_CONTENT)
```

**Typical response codes**
- `204 No Content`: deleted successfully, no body
- `404 Not Found`: resource didn’t exist (optional: some APIs still return 204)
- `409 Conflict`: cannot delete due to constraints (custom)

### PATCH (Partial Update)

> **Goal:** update **part** of a resource (only the fields you want to change).

**What it does in HTTP**
- `PATCH` is usually used for **partial updates**.
- It is *not guaranteed* idempotent in all designs, but many APIs implement it in an idempotent way (same patch => same state).
- Common REST pattern: `PATCH /items/{id}` with only changed fields.

**What it looks like in FastAPI**
- Define a model where fields are optional, then only apply fields the client provided.
- Use `payload.model_dump(exclude_unset=True)` to get only provided fields.

**Short example**
```python
from fastapi import FastAPI
from pydantic import BaseModel

app = FastAPI()

class ItemPatch(BaseModel):
    name: str | None = None
    price: float | None = None
    in_stock: bool | None = None

@app.patch("/items/{item_id}")
def patch_item(item_id: int, payload: ItemPatch):
    changes = payload.model_dump(exclude_unset=True)
    # Apply `changes` into your stored item (DB update)
    return {"item_id": item_id, "changes": changes}
```

**Typical response codes**
- `200 OK`: updated and returning updated resource
- `204 No Content`: updated successfully, no body
- `409 Conflict`: update cannot be applied (custom)

### OPTIONS (Capabilities / CORS Preflight)

> **Goal:** ask the server what methods/headers are allowed for a resource.

**What it does in HTTP**
- `OPTIONS` is often used to discover server capabilities.
- In browsers, `OPTIONS` is heavily used for **CORS preflight** requests: the browser checks if a cross-origin request is permitted.
- The response often includes headers like `Allow`, `Access-Control-Allow-Methods`, `Access-Control-Allow-Headers`, etc.

**What it looks like in FastAPI**
- Most of the time you don’t manually write `OPTIONS` handlers.
- Instead, you configure `CORSMiddleware`, and it automatically handles preflight `OPTIONS`.
- You *can* register an explicit `OPTIONS` route if needed.

**Short example (CORS preflight via middleware)**
```python
from fastapi import FastAPI
from fastapi.middleware.cors import CORSMiddleware

app = FastAPI()

app.add_middleware(
    CORSMiddleware,
    allow_origins=["https://example.com"],
    allow_credentials=True,
    allow_methods=["*"]  # includes GET/POST/PUT/PATCH/DELETE/OPTIONS...
    ,
    allow_headers=["*"]
 )

@app.get("/ping")
def ping():
    return {"ok": True}
```

**Short example (manual OPTIONS route)**
```python
from fastapi import FastAPI, Response

app = FastAPI()

@app.options("/items")
def options_items():
    response = Response()
    response.headers["Allow"] = "GET,POST,OPTIONS"
    return response
```

### HEAD (Headers Only)

> **Goal:** like `GET`, but return **no response body**—only headers/status.

**What it does in HTTP**
- `HEAD` is useful when you want metadata without downloading the whole resource.
- Common uses: check existence, check `Content-Length`, `ETag`, `Last-Modified`, etc.
- It is **safe** and **idempotent** (like GET).

**What it looks like in FastAPI**
- FastAPI supports `@app.head(...)`.
- In practice, many ASGI stacks will automatically make `HEAD` behave like `GET` without a body, but defining it explicitly is clearer when you need custom headers.

**Short example**
```python
from fastapi import FastAPI, Response

app = FastAPI()

@app.head("/items/{item_id}")
def head_item(item_id: int, response: Response):
    # Pretend we looked up the item and computed an ETag
    response.headers["ETag"] = f'W/"item-{item_id}"'
    return Response(status_code=200)
```

### TRACE (Diagnostic Echo)

> **Goal:** diagnostic method that echoes the request so a client can see what intermediaries changed.

**What it does in HTTP**
- `TRACE` is a debugging method: the server returns the received request (or parts of it).
- Many servers and proxies **disable TRACE** for security reasons (it can help attackers reflect sensitive headers in some setups).
- In most APIs, you should avoid using `TRACE` in production.

**What it looks like in FastAPI**
- There isn’t a dedicated decorator like `@app.trace` in common FastAPI usage; instead use `api_route(..., methods=[...])`.
- Whether it works depends on your ASGI server/proxy allowing TRACE.

**Short example (educational / local only)**
```python
from fastapi import FastAPI, Request

app = FastAPI()

@app.api_route("/debug/trace", methods=["TRACE"])
async def trace_debug(request: Request):
    # Return minimal info instead of reflecting raw headers/body
    return {
        "method": request.method,
        "path": request.url.path,
        "client": request.client.host if request.client else None,
    }
```

### CONNECT (Proxy Tunneling)

> **Goal:** establish a tunnel (most commonly used by HTTP proxies for HTTPS via `CONNECT host:port`).

**What it does in HTTP**
- `CONNECT` is primarily for **proxy behavior**, not typical application APIs.
- A client asks a proxy to open a TCP tunnel to a destination (e.g. for TLS/HTTPS).
- Most backend web apps don’t implement this, and many servers/proxies won’t forward it to your app.

**What it looks like in FastAPI**
- You *can* register a handler using `api_route(..., methods=["CONNECT"])`, but it usually won’t be useful unless you’re intentionally building a proxy-like service.
- In practice, implementing a correct CONNECT tunnel requires low-level socket/tunneling logic outside normal request/response patterns.

**Short example (demonstration only)**
```python
from fastapi import FastAPI
from fastapi.responses import PlainTextResponse

app = FastAPI()

@app.api_route("/proxy", methods=["CONNECT"])
def connect_demo():
    # Most production setups will never route CONNECT here.
    return PlainTextResponse("CONNECT received (demo)")
```