- In this chapter, we will cover how to deal with **API (Application Programming Interface)** using Python. 
- To do this, we are going to cover both how to **create** and **access** an API and build examples to do both. 
- Before we get to write any code, we need to cover what an API is and why its useful. 
- An API is a mechanism that allows communication between software applications and in this case will cover communication between an application and a web user. 
- The uses of APIs have become increasingly popular allowing users to access data or communicate with services. 
- They give a unified approach to doing so and therefore have become an important aspect to become familiar with, understanding how to communicate with.
- We begin by creating our own API to do this. 
- We are going to use the Python packages, flask as well as the flask-restful. 
- To see if you have the packages you can try and import them.

In [1]:
from flask import *
from flask_restful import *

- Now, flask comes by default with the Anaconda distribution of Python but you may not have flask_restful.
- If that is the case, you will need to install it. 
- To do so go to https://anaconda.org/conda-forge/flask-restful.
- Now, while this book has intended to be self-contained and not rely on many things outside the Anaconda distribution of Python, the url around things like the Anaconda website and subsequent links within it may change. 
- If at the time of reading this is the case, then you just need to search the package list of Anaconda to get this. 
- You could also do a simple search of conda flask restful using your favourite search engine and you should find the relevant web pages. 
- You can then install flask-restful from the command line using one of the conda commands given.
- With all the packages installed, we can then look to create our very first API, to do so we will work within the confines of a script, so create a file called **my_flask_api.py** and add the following in the file.

- Let’s first run this and then explain what is going on. 
- To do so, open up a terminal or command prompt and change directory to where your file is living.
- Once there, run the command _**python my_flask_api.py**_.
- What this is doing is starting up your API and you are now running it locally on machine.
- This means that it is accessible by you on your machine but not available on the world wide web. 
- To demonstrate, we open up a web browser and go to the ip address http://127.0.0.1:5000/.

- How has this all happened? Let’s go back and look at the original code.

- We initially import the relevant objects from both flask and flask_restful, and then we create a flask app using the Flask method with the name of the current module passed in via __ name __
- This gives us an app object, and we can then create an api object by passing the app into the API method. 
- This is our setup stage, next we want to add an endpoint to it.

- In this code snippet, we create a class named HelloWorld using the argument of Resource.
- Within this class we create a method called **get**, which simply returns the dictionary of hello with the key world.

- Lastly, show the code that is executed to start the api up. 
- In relation to the app object, we use its run method with the argument of debug set as True. 
- This makes the api available locally for the user. 
- This block of code does raise an interesting line of code, namely,

- This is common place within Python but many use it without understanding it, and we will attempt to resolve that now. 
- Using an if statement with the == between two variables is pretty straightforward but what do __ name __ and '__ main __ ' mean? 
- As shown when the Flask object was created, we used the __ name __ variable which gives us the name of the current module. 
- But how does this work, we will show by an example creating two files that each call the __ name __ variable to show how it behaves. 
- Let us call our first file **file_one.py**, we put the following code in there:

If we run this code, then we see the output:

Now, we create **file_two.py** and put in the following code:

If we run this code, then we see the output:

All sounds sensible but if we now import file_two.py into file_one.py as follows:

We get the following output:

What does this mean in relation to the original code snippet?

- Essentially in having that bit of code, it means that if we run the code from the script that it is in, then we can execute what lives within the if statement.
- So, we have our API running on http://127.0.0.1:5000/ if we maintain the persistence of the script my_flask_api.py. 
- So, keep that running in the same window you had it going in before. 
- Now, if we want to programmatically get the data from our own API, we need to use the requests package and access the data. 
- If we work in the console we can interactively access the API running on our own machine using the following code:


In [2]:
# run my_flask_api.py

import requests

In [3]:
data = requests.get('http://127.0.0.1:5000/')
data

<Response [200]>

- Now, if you refer back to the window where you are running your API from, you will notice that a get request was made to the **endpoint /** at the time you ran the **requests.get** method with the url as the argument. 
- You’ll notice that the data variable from the requests.get doesn’t give us the json data that we saw from the website but instead gave us a response of 200. 
- If we use the dir method around the data object, then we see the following:

In [4]:
dir(data)

['__attrs__',
 '__bool__',
 '__class__',
 '__delattr__',
 '__dict__',
 '__dir__',
 '__doc__',
 '__enter__',
 '__eq__',
 '__exit__',
 '__format__',
 '__ge__',
 '__getattribute__',
 '__getstate__',
 '__gt__',
 '__hash__',
 '__init__',
 '__init_subclass__',
 '__iter__',
 '__le__',
 '__lt__',
 '__module__',
 '__ne__',
 '__new__',
 '__nonzero__',
 '__reduce__',
 '__reduce_ex__',
 '__repr__',
 '__setattr__',
 '__setstate__',
 '__sizeof__',
 '__str__',
 '__subclasshook__',
 '__weakref__',
 '_content',
 '_content_consumed',
 '_next',
 'apparent_encoding',
 'close',
 'connection',
 'content',
 'cookies',
 'elapsed',
 'encoding',
 'headers',
 'history',
 'is_permanent_redirect',
 'is_redirect',
 'iter_content',
 'iter_lines',
 'json',
 'links',
 'next',
 'ok',
 'raise_for_status',
 'raw',
 'reason',
 'request',
 'status_code',
 'text',
 'url']

In [5]:
data.json()

{'hello': 'world'}

In [6]:
data.status_code

200

In [7]:
data.reason

'OK'

In [8]:
data.text

'{\n    "hello": "world"\n}\n'

In [9]:
data.url

'http://127.0.0.1:5000/'

- So, here we can see the **methods** and **attributes** of the data object and we look at a few of these. 
- The json method of the object unsurprisingly gives the json that we saw from the endpoint via the web browser. 
- The status_code attribute returns the status of the web request that we made here 200, which is a successful request. 
- We will not cover all status codes within this book, however if you are interested then they are easily accessible online.
- Alongside a status code, we also have a reason, here we would expect an informative message to alongside our status code. 
- The text representation of what is returned is also available alongside the url we used. 
- What is clear is that we get a lot of information back from our request.

- Now this is a good first example, but it only demonstrates the get request and actually the information isn’t that useful as we only get back some simple json. 
- What we will do next is create an API that allows us to get, post, and delete information from a small movie database that we will add to the code. 
- The full code is shown below and as usual we will step through it line by line:


The imports that we use within this API are as follows:

- This is similar to what we used in the hello world example. 
- However, now there are two more imports from flask_restful, namely reqparse and abort. 
- **Reqparse** is an **argument parser** that we can make use of to process arguments sent with the web request to the API as shown below:

- Here, we create a **RequestParser()** and then add arguments, name, year, and month, which we will pass when we need to add a film.
- Adding this doesn’t allow us to get the arguments, to do this we need to parse them out and later in the code we have the following snippet of code:

- What this does is parse the arguments from the RequestParser and then store them in a dictionary.
- The abort import is used in a custom function that we use to send an appropriate message if the film_id doesn’t exist.

- Here, we **pass the film_id as an argument** and if the id doesn’t exist in the dictionary then a 404 is given with a custom message relating to the film that doesn’t exist. 
- We use this function in a number of places within the code as we will show.
- Next, we consider the **two classes** that are in the code namely **Films** and **FilmDict**.
- The first of these looks as follows:

- This class defines **get, delete, and put methods** which do, as you would think, what it says on the tin and gets a film, deletes a film, and puts a film in our dictionary. 
- Notice that in the get and delete methods, we use our abort_if_film_doesnt_exist function to first check if the film exists and sends the appropriate error message and status code. 
- Note that we could have done it in each method but if we ended up with 20 different methods that would be lots of repeated code. 
- The actual nuts and bolts of what this code does is pretty straight forward and uses dictionary methods covered within this book. 
- Note that for the delete and put methods we return a status code alongside an empty string for the delete method or the task for the put method.

- The next class only has a single get method and returns our entire database of films, but why have this as a separate class?
- This is because we add this to a **separate url** as shown in the following code snippet:

Now, the FilmsDict class be accessed at the films url, if we want to get, delete, or put a film based on an id and we do so via:

- And as before, we run the app in debug mode. 
- To get this running, we change directory to where the code resides, run the script, and we will have the API available on http://127.0.0.1:5000/ but this is not a valid url as per code shown above.
- So, we further navigate to http://127.0.0.1:5000/films

- We can pass an id of a film that exists and get the result.
- If we enter the id for a film that isn’t already in our database, we will get the message as below:

message="Film {} doesn't exist"

- Now, if we want to use the API to add or delete films we can do so using the requests library. 
- So, let’s show some code examples.

In [10]:
# run Film.py

import requests

In [11]:
r = requests.get('http://127.0.0.1:5000/films')
r.json()

{'1': {'Name': 'Avengers: Infinity War', 'Year': 2018, 'Month': 'March'},
 '2': {'Name': 'Ant Man and the Wasp', 'Year': 2018, 'Month': 'August'}}

In [12]:
r = requests.get('http://127.0.0.1:5000/films/1')
r.json()

{'Name': 'Avengers: Infinity War', 'Year': 2018, 'Month': 'March'}

In [13]:
r = requests.get('http://127.0.0.1:5000/films/3')
r.json()

{'message': "Film 3 doesn't exist"}

In [14]:
# If port is not included in the request path, the default port of 80 will be used.
# In this case, most probably, error will be occured as below:
# ConnectionError: HTTPConnectionPool(host='127.0.0.1', port=80)

- So, we can call the same urls that we did before from the browser using requests. 
- Now, let’s show how to add and delete using the api.

In [15]:
r = requests.delete('http://127.0.0.1:5000/films/1')

In [16]:
r.text

''

In [17]:
r.status_code

204

- To delete a film based on the id, we use the delete method and pass in the url and note that the text and status code match that mentioned within the API code. 
- Now, to add that record back in we can use the put method.

In [18]:
r = requests.get('http://127.0.0.1:5000/films')
r.json()

{'2': {'Name': 'Ant Man and the Wasp', 'Year': 2018, 'Month': 'August'}}

In [19]:
r = requests.put('http://127.0.0.1:5000/films/1', 
                 data={'name':'Avengers: Infinity War',
                       'year':2018,
                       'month':'March'})

In [20]:
r.json()

{'Name': 'Avengers: Infinity War', 'Year': '2018', 'Month': 'March'}

In [21]:
r.status_code

201

In [22]:
r = requests.get('http://127.0.0.1:5000/films')
r.json()

{'1': {'Name': 'Avengers: Infinity War', 'Year': 2018, 'Month': 'March'},
 '2': {'Name': 'Ant Man and the Wasp', 'Year': 2018, 'Month': 'August'}}

- We can see that we had only the film with id 2 available so using the put method with the same arguments as the reqparser means we can use the data argument to populate id 1. 
- In sending the put request we get back the data in the form it has been added with the variable names matching what we have in the API. 
- Lastly, we check that it was added correctly by calling the http://127.0.0.1:5000/films and getting all the films we have, which shows the film with id 1 was added back in.

- So far, our API has been **public** but what if we want to secure it in some way? 
- To do so, we need some authentication on our API, and below we discuss some of the options available to us.

#### Basic Authentication 
- As the name suggests, the definition of basic authentication (Basic Auth) is a server asking for a username and a password (e.g. to a personal social media account) to allow access to private data (though there are potential security risks to be aware of if this data is not encrypted as it is transferred). 
- Basic Auth is performed over HTTP and is encrypted using SSL to protect the username and password being transmitted.
- Note that Basic Auth can be done without SSL but sensitive data will be transmitted over HTTP unencrypted which is an extreme security risk. 
- Basic Auth is a simple authentication technique which makes coding it into scripts a relatively straightforward process.
- However, since it relies on the use of a username and password to access the API and manage the account associated with it, this is not ideal. 
- It is like you lending your car keys to your friend and the keys can open everything in your house and workplace as well. 
- Put differently, if you give your social media usernames and passwords out to scripts, those scripts will end up having a far greater access to your personal social media accounts than you might like!

#### API Key Authentication 
- API key authentication is a technique that overcomes the weakness of Basic Auth by requiring the API to be accessed with a unique key. 
- The key is usually a long series of letters and numbers that is completely separate from the user’s login details (e.g. username and password). 
- As such, API keys can be intentionally limited for security reasons, so that they provide access only to the bits of data and services users we need, rather than granting access to everything.

#### OAuth Token 
- OAuth is a prevailing standard that applications can use to provide client applications with secure access that operates using the principles of API key authentication.
- OAuth authorises devices, APIs, servers and applications with access tokens rather than credentials. 
- When OAuth is used to authenticate a connection to a server an authentication request is sent from the client application (in the present case, a Python script that we build) to an authentication server. 
- It is the authentication server that generates the OAuth token.
- The token is returned to the client application over HTTPS, which then passes it to the API server. 
- You may have come across websites or apps that ask you to login with your Google, Facebook, or Twitter account. 
- In these cases Google, Facebook, or Twitter are acting as an authentication server. 
- Note that an authentication server doesn’t need to be a third-party server, but will generally be a different server to the one providing data.

In the last example of this chapter, we will create an API that uses **basic authentication** to authenticate a web request. The full code is shown as follows:

- Now much of this code is similar to what we have seen before? 
- So, we will just go over the new elements of which there are two.

- In the above block of code, we add in the HTTPBasicAuth from flask_httpauth.
- You may need to install this package, so refer back to earlier in the book where we showed you where to find the command for a specific package. 
- With this imported we create a HTTPBasicAuth() object and assign it to auth. 
- We then create a **dictionary containing user data which has a username and password as key and value**.

- Next, we create a **verify function** which takes the username and password as arguments and returns True if the value of the dictionary call using the username gives the password we have. 
- Note that we use get method of the dictionary so we don’t get a key error.
- This is decorated this with the auth verify_password. 
- We can then use the decorator auth.login_required on our get method that means we must be logged in to get the return of the HelloWorld class. 
- The resource is added to the endpoint /hello_world and we run the API in the way we have done in the previous examples.

With the API running we can then attempt to access the endpoint http://127.0.0.1:5000/hello_world using the requests library.

In [23]:
# run BasicAuth.py

import requests

In [24]:
r = requests.get('http://127.0.0.1:5000/hello_world')

In [25]:
r.status_code

401

In [26]:
r = requests.get('http://127.0.0.1:5000/hello_world', auth=('admin','atCh_5K}?g'))

In [27]:
r.status_code

200

In [28]:
r.json()

{'Hello': 'World'}

- In the first example, we use the standard get method and get back the status code of **401** which refers to us being **unauthorised**. 
- So to become authorised, in the second example, we **pass a tuple of username and password to the auth argument** and we get access to the endpoint and see we get back the expected json response.

- In this chapter, we have covered API’s how to create then and how to access them. 
- All examples have been run locally on our machine, however Python is a great tool for production quality APIs. 
- The examples relating to how to access APIs are particularly useful for those wishing to work with different data sources as APIs are common place as a solution to allow users to interact with. 
- While requests are great for interfacing directly with APIs you may find packages that wrap up some of the complexity associated with providers APIs.