We looked at a basic API that didn't require authentication, but most do. Imagine that we're using the **reddit API** to pull a list of our private messages. It would be a huge privacy breach for reddit to give that information to anyone, so requiring authentication makes sense.

APIs also use authentication to perform **rate limiting**. Developers typically use APIs to build interesting applications or services. In order to ensure that it remains available and responsive for all users, an API will prevent us from making too many requests in too short a time. We call this restriction **rate limiting**. It ensures that one user can't overload the API server by making too many requests too fast.

We'll explore the **GitHub API** and use it to pull some interesting data on **repositories** and **users**. GitHub is a site for hosting code. 

GitHub has **user accounts** , **repositories** that contain code, and **organizations** that companies can create ([example](https://github.com/dataquestio)).

Take a look at the [documentation for the GitHub](https://developer.github.com/v3/) API, and specifically the [authentication](https://developer.github.com/v3/#authentication) section.

To authenticate with the GitHub API, we'll need to use an **access token**. An access token is a credential we can [generate on GitHub's website](https://github.com/settings/tokens). The token is a string that the API can read and associate with our account.

Using a token is preferable to a username and password for a few reasons:

* Typically, we'll be accessing an API from a script. If we put our username and password in the script and someone manages to get their hands on it, they can take over our account. In contrast, we can revoke an access token to cancel an unauthorized person's access if there's a security breach.
* Access tokens can have scopes and specific permissions. For instance, we can make a token that has permission to write to our GitHub repositories and make new ones. Or, we can make a token that can only read from our repositories. Using read-access-only tokens in potentially insecure or shared scripts gives us more control over security.

We'll need to pass our token to the GitHub API through an **Authorization header**. Just like the server sends headers in response to our request, we can send the server headers when we make a request. 

Headers contain metadata about the request. We can use Python's requests library to make a dictionary of headers, and then pass it into our request.

We need to include the word **token** in the Authorization header, followed by our access token. Here's an example of an Authorization header:

`{"Authorization": "token 1f36137fbbe1602f779300dad26e4c1b7fbab631"}`

To generate a token, **login to github**, go to **Settings** and then **Developer settings**. Now clicking on **personal access token** allow us to generate a token.

In this case, our access token is `1f36137fbbe1602f779300dad26e4c1b7fbab631`. GitHub generated this token and associated it with the account of **AmiApex-Student**.

We should never share our token with anyone we don't want to have access to our account. We've revoked the token we'll be using throughout this file, so it isn't valid anymore. Consider a token somewhat equivalent to a password, and store it securely.

In [7]:
import requests
# Create a dictionary of headers containing our Authorization header.
headers = {"Authorization": "token 4795d56cd103527fafcabafd42ad3cc7245133ad"}

# Make a GET request to the GitHub API with our headers.
# This API endpoint will give us details about AmiApex-Student.
response = requests.get("https://api.github.com/users/AmiApex-Student", 
                        headers = headers)  # "https://api.github.com/users/waqas"
response.status_code

200

In [2]:
print(response.headers["content-type"])

# Print the content of the response.  As we can see, this token corresponds to the account of AmiApex-Student.
print(response.json())

application/json; charset=utf-8
{'login': 'AmiApex-Student', 'id': 52908953, 'node_id': 'MDQ6VXNlcjUyOTA4OTUz', 'avatar_url': 'https://avatars2.githubusercontent.com/u/52908953?v=4', 'gravatar_id': '', 'url': 'https://api.github.com/users/AmiApex-Student', 'html_url': 'https://github.com/AmiApex-Student', 'followers_url': 'https://api.github.com/users/AmiApex-Student/followers', 'following_url': 'https://api.github.com/users/AmiApex-Student/following{/other_user}', 'gists_url': 'https://api.github.com/users/AmiApex-Student/gists{/gist_id}', 'starred_url': 'https://api.github.com/users/AmiApex-Student/starred{/owner}{/repo}', 'subscriptions_url': 'https://api.github.com/users/AmiApex-Student/subscriptions', 'organizations_url': 'https://api.github.com/users/AmiApex-Student/orgs', 'repos_url': 'https://api.github.com/users/AmiApex-Student/repos', 'events_url': 'https://api.github.com/users/AmiApex-Student/events{/privacy}', 'received_events_url': 'https://api.github.com/users/AmiApex-Stu

APIs usually let us retrieve information about specific objects in a database. For example, we retrieved information about a specific user object, **AmiApex-Student**. 

We could also retrieve information about other GitHub users through the same endpoint. For example, https://api.github.com/users/torvalds would get us information about [Linus Torvalds](https://en.wikipedia.org/wiki/Linus_Torvalds).

In [3]:
# Use the endpoint https://api.github.com/users/torvalds with the same headers from before 
# to get information about Linus Torvalds.
# Use the response.json() method to get the JSON of the response.

response = requests.get("https://api.github.com/users/torvalds")
torvalds = response.json()
torvalds

{'login': 'torvalds',
 'id': 1024025,
 'node_id': 'MDQ6VXNlcjEwMjQwMjU=',
 'avatar_url': 'https://avatars0.githubusercontent.com/u/1024025?v=4',
 'gravatar_id': '',
 'url': 'https://api.github.com/users/torvalds',
 'html_url': 'https://github.com/torvalds',
 'followers_url': 'https://api.github.com/users/torvalds/followers',
 'following_url': 'https://api.github.com/users/torvalds/following{/other_user}',
 'gists_url': 'https://api.github.com/users/torvalds/gists{/gist_id}',
 'starred_url': 'https://api.github.com/users/torvalds/starred{/owner}{/repo}',
 'subscriptions_url': 'https://api.github.com/users/torvalds/subscriptions',
 'organizations_url': 'https://api.github.com/users/torvalds/orgs',
 'repos_url': 'https://api.github.com/users/torvalds/repos',
 'events_url': 'https://api.github.com/users/torvalds/events{/privacy}',
 'received_events_url': 'https://api.github.com/users/torvalds/received_events',
 'type': 'User',
 'site_admin': False,
 'name': 'Linus Torvalds',
 'company': 'L

In addition to users, the GitHub API has a few other types of objects. For example, https://api.github.com/orgs/dataquestio will retrieve information about the Dataquest organization on GitHub. 

https://api.github.com/repos/octocat/Hello-World will give us information about the Hello-World repository that the user octocat owns.

GitHub offers full [documentation](https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps) for all of the API's endpoints.

In [4]:
# Make a GET request to the https://api.github.com/AmiApex-Student/Python-Fundamentals endpoint.

response = requests.get("https://api.github.com/repos/AmiApex-Student/Python-Fundamentals",headers = headers)
python_Fundamentals = response.json()
python_Fundamentals

{'id': 196946485,
 'node_id': 'MDEwOlJlcG9zaXRvcnkxOTY5NDY0ODU=',
 'name': 'Python-Fundamentals',
 'full_name': 'AmiApex-Student/Python-Fundamentals',
 'private': False,
 'owner': {'login': 'AmiApex-Student',
  'id': 52908953,
  'node_id': 'MDQ6VXNlcjUyOTA4OTUz',
  'avatar_url': 'https://avatars2.githubusercontent.com/u/52908953?v=4',
  'gravatar_id': '',
  'url': 'https://api.github.com/users/AmiApex-Student',
  'html_url': 'https://github.com/AmiApex-Student',
  'followers_url': 'https://api.github.com/users/AmiApex-Student/followers',
  'following_url': 'https://api.github.com/users/AmiApex-Student/following{/other_user}',
  'gists_url': 'https://api.github.com/users/AmiApex-Student/gists{/gist_id}',
  'starred_url': 'https://api.github.com/users/AmiApex-Student/starred{/owner}{/repo}',
  'subscriptions_url': 'https://api.github.com/users/AmiApex-Student/subscriptions',
  'organizations_url': 'https://api.github.com/users/AmiApex-Student/orgs',
  'repos_url': 'https://api.github.com

Sometimes, a request can return a lot of objects.For example, if a user has 1,000+ repositories, requesting all of them might take 10+ seconds. This isn't a great user experience, so it's typical for API providers to implement **pagination**. 

This means that the API provider will only return a certain number of **records per page**. We can specify the **page number** that we want to access. To access all of the pages, we'll need to write a loop.

To get the repositories a user has starred (marked as interesting), we can use the following API endpoint:

https://api.github.com/users/AmiApex-Student/starred

We can add two pagination query parameters to it - **page**, and **per_page**. **page** is the page we want to access, and **per_page** is the number of records we want to see on each page. 

Typically, API providers enforce a cap on how high per_page can be, because setting it to an extremely high value defeats the purpose of pagination.

Check out the Github API [documentation on pagination](https://developer.github.com/v3/#pagination).

In [17]:
params = {"page":1, "per_page":2}
response = requests.get("https://api.github.com/users/AmiApex-Student/starred", headers = headers,params=params)
len(response.json())

2

So far, we've looked at endpoints where we need to explicitly provide the username of the person whose information we're looking up. For example, we used https://api.github.com/users/VikParuchuri/starred to pull up the repositories that VikParuchuri starred.

Since we've authenticated with our token, the system knows who we are, and can show us some relevant information without us having to specify our username.

Making a GET request to https://api.github.com/user will give us information about the user the authentication token is for.

There are other endpoints that behave like this. They automatically provide information or allow us to take actions as the authenticated user.

In [6]:
import requests

response = requests.get(" https://api.github.com/user", headers=headers)
response.json()

{'login': 'AmiApex-Student',
 'id': 52908953,
 'node_id': 'MDQ6VXNlcjUyOTA4OTUz',
 'avatar_url': 'https://avatars2.githubusercontent.com/u/52908953?v=4',
 'gravatar_id': '',
 'url': 'https://api.github.com/users/AmiApex-Student',
 'html_url': 'https://github.com/AmiApex-Student',
 'followers_url': 'https://api.github.com/users/AmiApex-Student/followers',
 'following_url': 'https://api.github.com/users/AmiApex-Student/following{/other_user}',
 'gists_url': 'https://api.github.com/users/AmiApex-Student/gists{/gist_id}',
 'starred_url': 'https://api.github.com/users/AmiApex-Student/starred{/owner}{/repo}',
 'subscriptions_url': 'https://api.github.com/users/AmiApex-Student/subscriptions',
 'organizations_url': 'https://api.github.com/users/AmiApex-Student/orgs',
 'repos_url': 'https://api.github.com/users/AmiApex-Student/repos',
 'events_url': 'https://api.github.com/users/AmiApex-Student/events{/privacy}',
 'received_events_url': 'https://api.github.com/users/AmiApex-Student/received_eve

So far, we've been making **GET** requests. We use **GET requests** to retrieve information from a server (hence the name **GET**). There are a few other types of API requests.

For example, we use **POST** requests to send information (instead of retrieve it), and to create objects on the API's server. With the GitHub API, we can use **POST requests** to create new repositories.

Different API endpoints choose what types of requests they will accept. Not all endpoints will accept a **POST request**, and not all will accept a **GET request**. We'll have to consult the [API's documentation](https://developer.github.com/v3/) to figure out which endpoints accept which types of requests.

We can make POST requests using `requests.post`. POST requests almost always include data, because we need to send the data the server will use to create the new object.

We pass in the data in a way that's very similar to what we do with query parameters and GET requests:

`payload = {"name": "test"}
requests.post("https://api.github.com/user/repos", json=payload)`

The code above will create a new repository named test under the account of the currently authenticated user. It will convert the payload dictionary to JSON, and pass it along with the POST request.

Check out GitHub's [API documentation for repositories](https://developer.github.com/v3/repos/) to see a full list of what data we can pass in with this POST request. Here are just a couple data points:

* `name` -- Required, the name of the repository
* `description` -- Optional, the description of the repository

A successful POST request will usually return a `201` status code indicating that it was able to create the object on the server. Sometimes, the API will return the JSON representation of the new object as the content of the response.

In [7]:
# Create a repository named about-apis

apis = {"name":"about-apis"}

response = requests.post("https://api.github.com/user/repos", json = apis, headers = headers)
print(response.status_code)

201


Sometimes we want to update an existing object, rather than create a new one. This is where **PATCH** and **PUT** requests come into play.

We use **PATCH requests** when we want to change a few attributes of an object, but don't want to resend the entire object to the server. Maybe we just want to change the name of our repository, for example.

We use **PUT requests** to send the complete object we're revising as a replacement for the server's existing version.

In practice, API developers don't always respect this convention. Sometimes API endpoints that accept PUT requests will treat them like PATCH requests, and not require us to send the whole object back.

We send a data with PATCH requests, the same way we do with POST requests:

A successful PATCH request will usually return a 200 status code.

In [8]:
# Make a PATCH request

apis = {"description": "Learning about requests!", "name" : "about-apis"}

response = requests.patch("https://api.github.com/repos/AmiApex-Student/about-apis", json=apis, headers=headers)
response.status_code

200

The final major request type is the **DELETE request**. The **DELETE request** removes objects from the server. We can use the **DELETE request** to remove repositories.

A successful **DELETE** request will usually return a `204` status code indicating that it successfully deleted the object.

Use **DELETE** requests carefully - it's very easy to remove something important by accident.

In [9]:
requests.delete("https://api.github.com/repos/AmiApex-Student/about-apis", 
                headers=headers)
response.status_code

200