# Web API & Flask



## 1. What is a Web API?

A **Web API (Application Programming Interface)** is a software interface that allows interaction between different applications over the internet using protocols such as HTTP. It defines a set of rules, endpoints, and data exchange formats that allow applications (clients) to communicate with services (servers). A Web API enables developers to access functionalities or data of an application without needing to understand its internal code.

**Key Points:**

- Web APIs work using HTTP methods (GET, POST, PUT, DELETE).
- They usually return data in JSON or XML formats.
- They allow integration between frontend, backend, mobile apps, and third-party services.
- Example: Google Maps API allows developers to embed maps into their applications.

**Short Example (conceptual):**

A `GET /users/123` request to an API might return `{'id': 123, 'name': 'Alice'}` in JSON.


## 2. How does a Web API differ from a Web Service?

Although both terms are related, they are not identical:

**Web Service:**

- A standardized communication method between two machines over a network.
- Often relies on SOAP (Simple Object Access Protocol).
- Heavier, more complex, with strict standards.

**Web API:**

- A broader concept than web services.
- Supports REST, SOAP, and custom implementations.
- Lightweight, commonly uses JSON over HTTP.

In short, every web service can be an API, but not every API is a web service. Web APIs (especially RESTful ones) are more common in modern web/mobile development due to their simplicity and flexibility.


## 3. What are the benefits of using Web APIs in software development?

Benefits of Web APIs include:

1. **Reusability** – APIs allow developers to reuse existing functionality.

2. **Interoperability** – APIs enable communication between different systems and platforms (e.g., web, mobile, IoT).

3. **Scalability** – APIs support system scaling by connecting distributed services and microservices.

4. **Security** – APIs implement authentication (e.g., API keys, OAuth) and authorization mechanisms.

5. **Faster Development** – Developers can integrate third-party APIs instead of reinventing features (e.g., payments, maps, email).

6. **Flexibility** – APIs can adapt to multiple devices and clients.

7. **Easier Maintenance** – Centralizing logic behind APIs makes updates easier without changing all clients.

8. **Innovation** – APIs open opportunities for new integrations, partnerships, and ecosystems.

**Real-world examples:** Twitter, Stripe, and Google provide APIs that let developers add complex features quickly.


## 4. Explain the difference between SOAP and RESTful APIs.

**SOAP (Simple Object Access Protocol):**

- A strict protocol that uses XML for messages.
- Provides standards for security (WS-Security), transactions, and messaging.
- Often used in enterprise scenarios where formal contracts (WSDL) and advanced features are required.
- Heavier and more verbose; built-in error handling.

**REST (Representational State Transfer):**

- An architectural style, not a protocol; uses standard HTTP methods.
- Typically uses lightweight data formats like JSON (but can use XML or others).
- Stateless: each request contains all information needed.
- Easier to implement, debug, and scale; popular for web and mobile apps.

**When to use which:**

- Use **SOAP** if you need built-in standards for security, reliable messaging, or transactional support in enterprise systems.
- Use **REST** for simple, fast, scalable web services where JSON-based payloads and HTTP verbs are sufficient.


## 5. What is JSON and how is it commonly used in Web APIs?

**JSON (JavaScript Object Notation)** is a lightweight data-interchange format that is easy to read and write for humans and easy to parse by machines.

**Why JSON is popular in APIs:**

- Simple syntax based on key-value pairs and arrays.
- Less verbose than XML; faster to transmit and parse.
- Native support (or easy libraries) in almost every programming language.

**Common use in Web APIs:**

- Requests (often in POST/PUT bodies) and responses (bodies) are encoded in JSON.
- Example response:

```json
{"id": 123, "name": "Alice", "roles": ["admin", "editor"]}
```

- JSON Schema can be used to validate the shape of JSON payloads.

Overall, JSON is the de facto standard for data exchange in modern RESTful APIs.


## 6. Can you name some popular Web API protocols other than REST?

Yes — here are common alternatives and when they are used:

1. **SOAP (Simple Object Access Protocol)** — XML-based, enterprise-focused.

2. **GraphQL** — A query language developed by Facebook that allows clients to request exactly the fields they need. Great for complex nested data and reducing over-fetching.

3. **gRPC** — High-performance RPC framework using Protocol Buffers (binary format). Ideal for low-latency microservices communication.

4. **OData** — Protocol for querying/updating data with standardized query options.

5. **JSON-RPC / XML-RPC** — Simple remote procedure call protocols using JSON or XML.

Each protocol has trade-offs in terms of performance, flexibility, and tooling support.


## 7. What role do HTTP methods (GET, POST, PUT, DELETE, etc.) play in Web API development?

HTTP methods (verbs) represent the action a client wants to perform on a resource.

- **GET** — Retrieve a resource or list of resources. Should be safe and idempotent (no side-effects).

- **POST** — Create a new resource on the server. Often not idempotent.

- **PUT** — Replace an existing resource (or create if allowed). Generally idempotent.

- **PATCH** — Partially update an existing resource (only the provided fields change).

- **DELETE** — Remove a resource. Idempotent.

- **HEAD** — Fetch headers for a resource (no body).

- **OPTIONS** — Show the allowed HTTP methods and other options for a resource.

Mapping methods to CRUD:

- Create → POST
- Read → GET
- Update → PUT/PATCH
- Delete → DELETE

Using the correct HTTP verbs improves clarity, caching, and adherence to RESTful principles.


## 8. What is the purpose of authentication and authorization in Web APIs?

Authentication and authorization protect resources and control access.

- **Authentication** verifies the identity of a client (e.g., username/password, API key, OAuth token).

- **Authorization** determines what an authenticated client is allowed to do (e.g., role-based permissions, scopes).

**Common methods:**

- **API Keys** — Simple tokens associated with an account.
- **Basic Auth** — Username and password sent over HTTPS (not recommended alone).
- **OAuth 2.0** — Industry-standard for delegated authorization (used by Google, Facebook, etc.).
- **JWT (JSON Web Tokens)** — Signed tokens that carry user claims; stateless authentication.

**Why important:**

1. Prevent unauthorized access to data and actions.
2. Enforce tenant or role boundaries in multi-tenant systems.
3. Meet compliance and auditing requirements.

Example: An `/admin` endpoint should require an authenticated token and an admin role in its authorization check.


## 9. How can you handle versioning in Web API development?

API versioning helps manage changes without breaking existing clients. Common strategies:

1. **URI versioning** — Include version in the path: `/api/v1/users`.

2. **Query parameter versioning** — `GET /users?version=2`.

3. **Header versioning** — Use a custom header like `X-API-Version: 2` or the `Accept` header for content negotiation.

4. **Media type versioning (content negotiation)** — `Accept: application/vnd.myapp.v2+json`.

Best practices:

- Document versions clearly and maintain changelogs.
- Support multiple versions for a reasonable deprecation period.
- Use semantic versioning for clarity (major.minor.patch) and break changes only on major version bumps.

Choosing a versioning strategy depends on client needs and infrastructure constraints.


## 10. What are the main components of an HTTP request and response in the context of Web APIs?

**HTTP Request components:**

1. **Request Line** — Method, URI, and HTTP version (e.g., `GET /users/1 HTTP/1.1`).

2. **Headers** — Key-value metadata (e.g., `Content-Type: application/json`, `Authorization: Bearer <token>`).

3. **Body** — Payload for methods like POST/PUT/PATCH (usually JSON in modern APIs).

**HTTP Response components:**

1. **Status Line** — HTTP version and status code (e.g., `HTTP/1.1 200 OK`).

2. **Headers** — Response metadata (e.g., `Content-Type`, `Cache-Control`).

3. **Body** — Response data (e.g., JSON object, HTML page, binary file).

**Status codes examples:**

- `200 OK` — Successful GET.
- `201 Created` — Resource created via POST.
- `204 No Content` — Success with no response body (e.g., successful DELETE).
- `400 Bad Request` — Client sent malformed data.
- `401 Unauthorized` — Authentication required or failed.
- `403 Forbidden` — Authenticated but not allowed.
- `404 Not Found` — Resource doesn't exist.
- `500 Internal Server Error` — Server-side error.

Together, these parts enable clear communication, error handling, and interoperability between clients and servers.


## 11. Describe the concept of rate limiting in the context of Web APIs.

Rate limiting is the process of restricting the number of requests a client can make to an API in a given time period.

**Why it's important:**
- Prevents abuse (e.g., denial of service attacks).
- Protects server resources and ensures fair usage among clients.
- Helps manage costs and performance.

**Common strategies:**
- Fixed window: Limit requests per time window (e.g., 1000 requests per hour).
- Sliding window: Rolling time window; more accurate than fixed.
- Token bucket / Leaky bucket: Allows bursts but enforces average rate.

**Example:** GitHub’s API allows 5000 requests per hour per authenticated user. Exceeding the limit results in 429 Too Many Requests response.


## 12. How can you handle errors and exceptions in Web API responses?

Good API design requires clear and consistent error handling.

**Best practices:**

1. Use proper HTTP status codes:
- 400 Bad Request — invalid input.
- 401 Unauthorized — missing/invalid authentication.
- 403 Forbidden — insufficient permissions.
- 404 Not Found — resource not available.
- 500 Internal Server Error — unexpected server failure.

2. Provide structured error responses (commonly JSON):
```json
{
  "error": "InvalidRequest",
  "message": "The 'email' field is required",
  "status": 400
}
```

3. Include error codes or identifiers for easier debugging.

4. Log errors internally without exposing sensitive details to clients.


## 13. Explain the concept of statelessness in RESTful Web APIs.

Statelessness means each request from a client to the server must contain all the necessary information to understand and process it.

**Implications:**
- Server does not store client session state between requests.
- Each request is independent and self-contained.
- Authentication data (like tokens) must be sent with each request.

**Benefits:**
- Improves scalability (any server can handle any request).
- Simplifies design and implementation.
- Easier fault tolerance.

**Example:** In a REST API, instead of storing login sessions on the server, clients send an authentication token with every request.


## 14. What are the best practices for designing and documenting Web APIs?

Best practices:

1. Consistency — Use standard naming conventions (e.g., plural nouns: /users, /orders).
2. Versioning — Include versioning strategy to manage breaking changes.
3. Proper use of HTTP methods and status codes.
4. Security — Use HTTPS, authentication, and authorization mechanisms.
5. Pagination and filtering — Avoid sending huge datasets at once.
6. Error handling — Provide meaningful error responses.
7. Documentation — Use Swagger (OpenAPI) or Postman collections.
8. Hypermedia links (HATEOAS) — Help clients navigate APIs.
9. Rate limiting — Protect against abuse.

Good documentation should include:
- Clear endpoint definitions.
- Request/response examples.
- Authentication details.
- Error codes and meanings.


## 15. What role do API keys and tokens play in securing Web APIs?

API keys and tokens are used for authentication and sometimes authorization.

- API Key: A static string assigned to a developer/app. Identifies the caller.
- Access Token: Short-lived credential proving authentication (often via OAuth).
- Refresh Token: Used to obtain new access tokens without re-authenticating.

Roles:
- Prevent anonymous usage.
- Identify and track API consumers.
- Enforce quotas and rate limits.
- Enable fine-grained access control.

Example: Google Maps API requires an API key to authenticate requests, while OAuth tokens are used for user-specific access.


## 16. What is REST, and what are its key principles?

REST (Representational State Transfer) is an architectural style for designing networked applications.

Key principles:
1. Client-Server — Separation of concerns.
2. Statelessness — Each request is self-contained.
3. Cacheable — Responses should define cacheability.
4. Uniform Interface — Standardized communication using URIs, HTTP methods, and status codes.
5. Layered System — Clients don’t need to know if they’re talking to the actual server or an intermediary.
6. Code on Demand (optional) — Server can send code (e.g., JavaScript) to clients.

REST emphasizes scalability, simplicity, and reusability.


## 17. Explain the difference between RESTful APIs and traditional web services.

- Traditional Web Services (like SOAP):
  - Heavier, XML-based.
  - Rigid standards and protocols.
  - Built-in advanced features (security, transactions).

- RESTful APIs:
  - Lightweight, JSON-based.
  - Simple HTTP verbs.
  - Flexible and widely used in modern web/mobile apps.

Main difference: REST is resource-oriented and stateless, while traditional web services like SOAP are operation-oriented and stateful.


## 18. What are the main HTTP methods used in RESTful architecture, and what are their purposes?

Main HTTP methods in REST:

- GET — Retrieve resource(s).
- POST — Create new resources.
- PUT — Replace entire resource.
- PATCH — Update part of a resource.
- DELETE — Remove a resource.
- HEAD — Retrieve headers only.
- OPTIONS — Discover available methods.

Mapping to CRUD:
- Create → POST
- Read → GET
- Update → PUT/PATCH
- Delete → DELETE


## 19. Describe the concept of statelessness in RESTful APIs.

Statelessness means the server does not retain client session information between requests.

Key points:
- Each request must contain all necessary data.
- No session storage on the server.
- Improves scalability and reliability.

Example: When calling GET /orders/123, the client includes an auth token in the request so the server can authenticate without stored session data.


## 20. What is the significance of URIs (Uniform Resource Identifiers) in RESTful API design?

URIs uniquely identify resources in RESTful APIs.

Significance:
- Provide a clear way to locate and access resources.
- Should be descriptive, hierarchical, and intuitive.

Best practices:
- Use nouns, not verbs (e.g., /users/123 instead of /getUser).
- Keep lowercase and consistent.
- Use plural nouns for collections (/users).
- Use path parameters for IDs (/users/{id}).

URIs form the backbone of RESTful API design.


## 21. Explain the role of hypermedia in RESTful APIs. How does it relate to HATEOAS?

Hypermedia in RESTful APIs means including links inside responses that guide clients on what actions they can take next. This concept is known as **HATEOAS** (Hypermedia As The Engine Of Application State).

For example, instead of just returning user data, an API might also include links:

```json
{
  "id": 123,
  "name": "Alice",
  "links": [
    {"rel": "self", "href": "/users/123"},
    {"rel": "orders", "href": "/users/123/orders"}
  ]
}
```

This allows the client to discover what actions are possible (follow the orders link) without hardcoding endpoints. HATEOAS increases API discoverability, flexibility, and decoupling between client and server.


## 22. What are the benefits of using RESTful APIs over other architectural styles?

Benefits include:

- **Simplicity**: Leverages standard HTTP methods and URIs.
- **Lightweight**: JSON payloads are smaller compared to XML-based SOAP.
- **Scalability**: Statelessness makes horizontal scaling easier.
- **Flexibility**: Supports multiple data formats (JSON, XML, YAML, etc.).
- **Interoperability**: Works across different languages and platforms easily.
- **Caching**: HTTP caching mechanisms (ETags, Cache-Control) improve performance.
- **Broad adoption**: Wide community support and tooling (OpenAPI/Swagger, Postman).

In contrast, SOAP is heavier and requires more strict contracts, while REST provides agility for modern applications.


## 23. Discuss the concept of resource representations in RESTful APIs.

In REST, resources are the core entities (users, orders, products). A **representation** is how those resources are transmitted between client and server.

For example:
- JSON: `{ "id": 1, "name": "Book" }`
- XML: `<user><id>1</id><name>Book</name></user>`

Key points:
- Multiple representations are possible for the same resource (JSON, XML, HTML, CSV).
- Content negotiation (`Accept` header) lets clients request specific formats.
- Representations may include metadata (links, pagination info).

This flexibility allows APIs to support different client requirements without changing core logic.


## 24. How does REST handle communication between clients and servers?

REST handles communication using the **request-response model** over HTTP:

1. **Client sends request**: Includes HTTP method, URI, headers, and optional body.
2. **Server processes request**: Identifies resource, applies logic, and generates response.
3. **Server sends response**: Includes status code, headers, and representation of the resource.

Characteristics:
- Stateless: Server does not store client state.
- Cacheable: Responses can be cached.
- Uniform interface: Standardized methods and URIs.

This model makes REST scalable, language-independent, and easy to integrate with web technologies.


## 25. What are the common data formats used in RESTful API communication?

Common formats:

- **JSON** (most widely used, lightweight).
- **XML** (legacy systems, SOAP compatibility).
- **YAML** (human-friendly config style, less common for APIs).
- **CSV** (bulk data exchange, spreadsheets).
- **HTML** (sometimes returned for browser clients).
- **Binary formats** like Protocol Buffers or MessagePack for efficiency.

APIs often support multiple formats and let clients specify preferences via the `Accept` header (content negotiation).


## 26. Explain the importance of status codes in RESTful API responses.

HTTP status codes tell clients the result of their request without parsing the body:

- **2xx Success**: `200 OK`, `201 Created`, `204 No Content`.
- **3xx Redirection**: `301 Moved Permanently`, `304 Not Modified`.
- **4xx Client Errors**: `400 Bad Request`, `401 Unauthorized`, `403 Forbidden`, `404 Not Found`, `429 Too Many Requests`.
- **5xx Server Errors**: `500 Internal Server Error`, `502 Bad Gateway`, `503 Service Unavailable`.

Importance:
- Allows consistent client handling of errors/success.
- Improves debugging and monitoring.
- Enables better developer experience.

Best practice: Always pair status codes with helpful error messages in the response body.


## 27. Describe the process of versioning in RESTful API development.

Versioning ensures backward compatibility when APIs evolve.

Common strategies:
- **URI versioning**: `/api/v1/users`.
- **Query parameter**: `/users?version=2`.
- **Header-based**: `Accept: application/vnd.myapp.v2+json`.
- **Content negotiation**: Version negotiated via media type.

Best practices:
- Use semantic versioning (v1, v2).
- Clearly document supported versions.
- Deprecate old versions gradually with notice.
- Keep minor/patch updates backward-compatible.

Good versioning improves stability and avoids breaking client integrations.


## 28. How can you ensure security in RESTful API development? What are common authentication methods?

Security is critical for REST APIs. Key measures:

1. **Authentication**:
- API keys.
- Basic auth (over HTTPS only).
- OAuth 2.0.
- JWT (JSON Web Tokens).

2. **Authorization**:
- Role-based access control (RBAC).
- Scope-based (OAuth scopes).

3. **Transport security**:
- Enforce HTTPS.
- Use TLS 1.2+.

4. **Input validation & sanitization**: Prevent SQLi, XSS, injection attacks.
5. **Rate limiting & throttling**: Defend against abuse.
6. **Logging & monitoring**: Detect suspicious activity.
7. **CORS policies**: Control cross-origin requests.

Best practice: Follow OWASP API Security Top 10.



## 29. What are some best practices for documenting RESTful APIs?

Best practices:

- Use **OpenAPI/Swagger** to provide machine-readable specs.
- Include **examples** for requests and responses.
- Clearly describe **authentication and authorization flows**.
- Document **error codes** with meaning and remedies.
- Provide **SDKs and sample code** in multiple languages.
- Keep docs versioned with the API.
- Provide **interactive sandbox/testing tools**.
- Use **consistent terminology** across endpoints.

Good documentation reduces support burden and increases adoption.


## 30. What considerations should be made for error handling in RESTful APIs?

Considerations:

- **Use standard HTTP status codes** to indicate error class.
- **Provide structured error responses** with fields like `code`, `message`, `details`.
- **Consistency**: Same error format across endpoints.
- **Do not expose sensitive details** (stack traces, SQL queries).
- **Include correlation IDs** for tracing.
- **Support i18n/localization** if clients are global.
- **Document error codes** and recovery actions.
- **Graceful degradation**: Offer fallback or clear messages.

Good error handling improves resilience and user experience.


## 31. Explain the role of middleware in Flask applications.

Middleware is software that sits between the web server and the Flask application, or between different layers within a Flask app. Its role is to process requests and responses, often modifying them before passing them along.

In Flask:
- Middleware can intercept requests before they reach view functions.
- It can modify responses before they are sent back to the client.
- Common uses: logging, authentication, request validation, error handling, CORS handling.

Example: WSGI middleware that logs every request before passing it to the Flask app.


## 32. What is the purpose of Blueprints in Flask?

Blueprints allow modular organization of a Flask application.

Purpose:
- Split large applications into smaller, reusable components.
- Each blueprint can define routes, templates, static files, and error handlers.
- Blueprints are registered on the main Flask app instance, enabling flexibility.

Example use cases:
- An `auth` blueprint for login/logout routes.
- An `admin` blueprint for administration interfaces.

Blueprints promote maintainability, reusability, and clean project structure.


## 33. How does Flask handle routing?

Routing in Flask maps URLs to Python functions.

Mechanism:
- Routes are defined using decorators like `@app.route('/path')`.
- When a request comes to a path, Flask invokes the corresponding view function.
- Dynamic routes support parameters, e.g., `/user/<int:id>`.
- HTTP methods can be specified (`methods=['GET', 'POST']`).

Example:
```python
@app.route('/hello/<name>', methods=['GET'])
def hello(name):
    return f"Hello, {name}!"
```


## 34. What is Jinja2, and how is it used in Flask?

Jinja2 is Flask's default templating engine.

Usage:
- Allows embedding Python-like expressions in HTML templates.
- Supports control structures like loops and conditionals.
- Prevents injection attacks with auto-escaping.
- Encourages template inheritance and reusable layouts.

Example template:
```html
<h1>Hello {{ user.name }}</h1>
{% for item in items %}
  <li>{{ item }}</li>
{% endfor %}
```


## 35. Explain the concept of request and response objects in Flask.

Flask uses `request` and `response` objects to represent incoming and outgoing HTTP messages.

**Request object (`flask.request`):**
- Provides access to data about the incoming request.
- Includes attributes like `request.method`, `request.args` (query params), `request.form` (form data), `request.json` (JSON body), `request.headers`.

**Response object (`flask.Response`):**
- Represents the outgoing HTTP response.
- Includes status code, headers, and body.
- View functions can return strings, dicts, or explicit Response objects.

Together, they encapsulate communication between clients and the Flask app.


## 36. What is the difference between synchronous and asynchronous request handling in Flask?

Synchronous handling:
- Default in Flask.
- Each request is handled sequentially by a worker.
- If one request is slow (e.g., blocking I/O), it ties up the worker until completion.

Asynchronous handling:
- Uses async functions (Flask 2.x+ supports `async def` routes).
- Non-blocking I/O (e.g., async database calls, external API calls).
- Allows better concurrency and scalability with fewer resources.

Considerations:
- Requires an async-capable server (e.g., Gunicorn with `uvicorn.workers.UvicornWorker`).
- Not all Flask extensions support async.

Use async for high-latency tasks like network calls; use sync for CPU-bound tasks.


## 37. What is the Flask application context and request context?

Contexts in Flask provide access to objects tied to the current app or request.

- **Application context (`app_context`)**: Provides access to `current_app` (the active app instance) and `g` (global storage).
- **Request context (`request_context`)**: Provides access to `request` and `session` objects tied to the current request.

Flask pushes/pops these contexts around each request.

Example:
```python
from flask import current_app, g

with app.app_context():
    print(current_app.name)
```


## 38. How does Flask handle sessions?

Flask sessions allow persisting data across requests for a particular client.

Mechanism:
- Flask uses signed cookies by default to store session data on the client.
- Data is serialized and cryptographically signed with the app's `SECRET_KEY`.
- Prevents tampering but data is visible to client (not encrypted).

Usage:
```python
from flask import session

@app.route('/login')
def login():
    session['user_id'] = 42
    return 'Logged in'
```

Best practices:
- Keep session data minimal.
- Use server-side session extensions (e.g., Flask-Session, Redis) for large or sensitive data.
- Always use HTTPS to protect cookies.


## 39. What are Flask extensions, and why are they useful?

Flask extensions are add-ons that provide extra functionality not included in the core framework.

Examples:
- Flask-SQLAlchemy for database ORM.
- Flask-Migrate for database migrations.
- Flask-WTF for form handling and validation.
- Flask-Login for authentication.
- Flask-RESTful for building REST APIs.

Why useful:
- Reduce boilerplate code.
- Provide tested integrations with common tools.
- Maintain Flask's lightweight core but allow customization.

Extensions follow Flask conventions and integrate seamlessly.


## 40. How can you connect a Flask application to a database?

Flask itself does not include a database layer, but connections can be established via libraries.

Options:
- **Raw database driver**: Use libraries like `sqlite3` or `psycopg2` for PostgreSQL.
- **ORM (Object-Relational Mapping)**: Use Flask-SQLAlchemy to map classes to tables.
- **NoSQL integration**: Use libraries like PyMongo for MongoDB.

Example with SQLAlchemy:
```python
from flask_sqlalchemy import SQLAlchemy
app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///test.db'
db = SQLAlchemy(app)

class User(db.Model):
    id = db.Column(db.Integer, primary_key=True)
    name = db.Column(db.String(80))
```

Best practices:
- Use environment variables for DB credentials.
- Use connection pooling for performance.
- Use Alembic/Flask-Migrate for schema migrations.
