Skip to main content
System Design – Complete Beginner to Advanced Guide
CHAPTER 07 Intermediate

APIs and Communication

Updated: May 16, 2026
30 min read

# CHAPTER 7

APIs and Communication

1. Introduction

In a monolithic architecture, different parts of the code communicate instantly by calling local functions. In a distributed, modern architecture, the mobile app, the web frontend, the payment microservice, and the notification engine are all physically separated on different servers. They cannot call local functions; they must communicate over the network. APIs (Application Programming Interfaces) are the digital contracts that allow these disparate systems to talk to each other. If your API design is chaotic, your entire distributed system will collapse under its own complexity. In this chapter, we will master APIs and Communication. We will enforce the strict architectural rules of REST, explore the efficiency of GraphQL, and deploy API Gateways to protect our backend from malicious traffic.

2. Learning Objectives

By the end of this chapter, you will be able to:
  • Define what an API is in the context of distributed systems.
  • Architect clean, resource-based RESTful APIs using standard HTTP verbs.
  • Compare REST architecture against the dynamic querying of GraphQL.
  • Explain the role of an API Gateway in microservices architecture.
  • Engineer defensive mechanisms like Rate Limiting and Pagination.

3. The REST Architectural Style

Representational State Transfer (REST) is the absolute industry standard for designing web APIs.
  • Resource-Based: In REST, everything is a "Resource" (e.g., Users, Posts, Products). You do not design URLs based on *actions* (like /getRecentPosts); you design URLs based on *nouns* (like /posts).
  • Standardized Verbs: You manipulate the resources using strict HTTP verbs:
  • GET /users (Retrieve a list of users)
  • POST /users (Create a new user)
  • GET /users/123 (Retrieve a specific user)
  • PUT /users/123 (Update a specific user)
  • DELETE /users/123 (Delete a specific user)
  • JSON Standard: The vast majority of REST APIs send and receive data formatted as JSON (JavaScript Object Notation).

4. GraphQL (The REST Alternative)

As mobile apps became more complex, REST revealed a flaw: Over-fetching and Under-fetching.
  • The REST Flaw: If a mobile app only needs a user's name to display in a top bar, a REST call to GET /users/123 might return 50 fields of data (email, address, history), wasting the user's mobile data bandwidth (Over-fetching).
  • The GraphQL Solution: Developed by Facebook, GraphQL is a query language. There is only ONE endpoint (/graphql). The client explicitly requests *exactly* the data it wants.
  • The Query: The client sends: query { user(id: 123) { name } }
  • The Response: The server returns exactly one field: { "data": { "user": { "name": "John" } } }. Highly efficient, but significantly more complex to engineer on the backend.

5. The API Gateway

If you have 50 different microservices, having the mobile app memorize 50 different IP addresses is an architectural nightmare.
  • The Gateway Pattern: An API Gateway is a specialized server that sits at the absolute front of your architecture (often combined with the Load Balancer).
  • The Router: The mobile app only talks to ONE URL (the API Gateway). If the app requests /payments, the Gateway routes it to the Payment Microservice. If it requests /users, the Gateway routes it to the User Microservice.
  • The Shield: The API Gateway handles Authentication, SSL Termination, and Logging centrally, so your 50 microservices don't have to duplicate that code.

6. Rate Limiting (Defensive Design)

APIs are the public doors to your database. You must prevent abuse.
  • The Attack: A malicious bot or a buggy client script tries to hit your POST /login API 10,000 times a second, attempting to crash your database or brute-force a password.
  • The Defense: Rate Limiting.
  • The Logic: You configure the API Gateway to track IP addresses or API Keys. You implement a rule: "Maximum 100 requests per minute per IP." If they exceed the limit, the Gateway blocks them and returns an HTTP 429 Too Many Requests status code, completely shielding the fragile backend servers.

7. Diagrams/Visual Suggestions

*Architecture Diagram: The API Gateway Pattern*
text
1234567 
[ Mobile App ] --(HTTPS)--> [ API GATEWAY (Rate Limiting & Auth) ]
                                |
                                |-- (Route /users) --> [ User Microservice ]
                                |
                                |-- (Route /pay) ----> [ Billing Microservice ]
                                |
                                |-- (Route /search) -> [ Search Microservice ]

8. Best Practices

  • Pagination: Never return an unpaginated list from an API. If a client calls GET /users, and you have 10 million users in your database, your server will try to load 10 million records into RAM, instantly crashing the server. *Always* enforce pagination by default: GET /users?limit=50&page=1.

9. Common Mistakes

  • Breaking Changes: A startup alters the data structure of their GET /products API. *The Failure:* The old version of their iOS app (which millions of users still have installed and haven't updated) expects the old structure. The entire app breaks for millions of users instantly. *The Fix:* API Versioning. Always prefix your APIs: GET /v1/products. If you need to make a breaking change, launch GET /v2/products and leave v1 running for legacy apps.

10. Mini Project: Design APIs for a Social App

Let's architect the REST contracts for a Twitter clone.
  1. 1. The Users:
  • Create account: POST /v1/users
  • Get my profile: GET /v1/users/me
  1. 2. The Tweets (Resources):
  • Post a tweet: POST /v1/tweets
  • Get latest feed: GET /v1/tweets?sort=latest&limit=20
  • Delete a tweet: DELETE /v1/tweets/987
  1. 3. The Likes (Sub-resources):
  • Like a tweet: POST /v1/tweets/987/likes
*Result:* A clean, predictable, standard-compliant API architecture.

11. Practice Exercises

  1. 1. Define the core principles of a RESTful API. Explain why designing APIs around "Resources" (nouns) instead of "Actions" (verbs) creates a more scalable architecture.
  1. 2. Compare REST to GraphQL. In a mobile environment with poor network connectivity, why might a mobile engineer heavily advocate for replacing REST with GraphQL?

12. MCQs with Answers

Question 1

An engineering team is designing a distributed architecture composed of 20 different microservices. To prevent the frontend client from having to manage and route requests to 20 different server IPs, what specific architectural component should be placed at the perimeter of the network?

Question 2

To protect your backend database from being crashed by a malicious bot or a Denial of Service (DoS) attack, you configure your API Gateway to block any single IP address that attempts to make more than 100 requests per second. What is this defensive engineering pattern called?

13. Interview Questions

  • Q: Explain the catastrophic danger of not implementing Pagination on a REST API endpoint that retrieves a list of resources. Walk me through the exact failure cascade from the Database to the Server RAM.
  • Q: A mobile application crashes globally because the backend team changed a field name in the JSON response payload. How does the architectural practice of "API Versioning" completely prevent this disaster?
  • Q: Compare and contrast the architecture of REST vs. GraphQL. If you are building a massive public API for third-party developers (like Stripe or GitHub), which architecture is generally preferred and why?

14. FAQs

Q: Do I always need an API Gateway? A: If you are building a simple Monolith, an API Gateway is massive overkill. Your single web server can handle routing and auth. An API Gateway is only strictly necessary when you transition to a Microservices architecture and need a centralized hub to orchestrate traffic across dozens of independent services.

15. Summary

In Chapter 7, we established the language of distributed systems. We enforced the strict, resource-based conventions of REST, ensuring our APIs are predictable, cacheable, and easily understood by third-party developers. We explored GraphQL as a highly efficient, client-driven alternative to combat over-fetching on mobile networks. We deployed the API Gateway as the ultimate defensive perimeter, centralizing routing, authentication, and enforcing rigorous Rate Limiting to protect our fragile databases from malicious traffic. By designing robust API contracts, we guarantee our decoupled systems function as a unified whole.

16. Next Chapter Recommendation

Our APIs are routed and protected from volume. Now we must protect them from unauthorized humans. Proceed to Chapter 8: Authentication and Authorization.

Finish this Chapter

Save your progress on your learning path and prepare for coding interview challenges.

Previous Chapter Load Balancing
Next Chapter Microservices Architecture

Discussion

Join the discussion

Log in or create a free account to participate.

Sort: ·

Explore More

📖 Related Tutorials 5

🎥 Related Videos 1