What does your company need to use an API?

4 min reading
What does your company need to use an API?
What does your company need to use an API?


The aim is for the company’s information, functionalities and products to be available in a repository requiring authenticated access by both employees – product, development and IT teams – as well as clients, partners and suppliers.

The idea is for third party companies to take advantage of all this potential and to contribute speed and flexibility to launch other products and services on the market, thereby reducing costs and increasing the probability of success.

Furthermore, the requirements for a company to use an API are not excessively demanding. Nowadays, most developers in the world have experience in managing APIs, largely because they are part of their day to day business.

It is also true that application development interfaces rarely allow reckless access to information due to security requirements. Authentication using a token is vital, usually under the OAuth protocol, and IT professionals must be able to identify and approve these API calls.

APIs are a key tool in business development, primarily due to their capacity for personalization and scalability. They are the most efficient and optimal vehicle to request and receive information. In addition, authentication allows relatively easy ad hoc customization of the type of data received in each call.

It is common practice for partners and suppliers to make use of an API of which they do not need all the contents, hence they receive only a portion. This is what is known as the scope, which is defined for each customer thanks to the authentication process incorporated into the API through the OAuth Protocol.

As a result, APIs are flexible, customizable and secure tools that are called on to evolve continuously, due to their potential. They are fertile ground for innovation, from the point of view of business and technical product design.

Sometimes, the use of APIs leads companies to understand their value and to promote the launch of interfaces for the development of their own applications from the inside.

Key points

An API can never be an end in itself. Its purpose is to satisfy a need that is internal to the business or required for customers, partners or suppliers. Detecting that need is essential because it paves the way for preparing the concept and development strategy.

If you do not have APIs, use them to create your business. If you do, make them openly available so the community of developers can become familiar with them, try them out, make improvements, etc. At best, you will use third party APIs and create APIs for third parties.

Nowadays, there are various models for monetizing APIs on the world market. Some charge for access, some for the volume of calls and others also charge for support, etc. It is important to understand that the open concept does not imply that it is free.

Implementation requirements and IT resources

Without entering into excessive technical details, the entire IT infrastructure required to operate with APIs can be summarized in 3 layers and two different processes, all of which use data and information as the raw material for business.


This is the layer that surrounds and somewhat protects the data and information that the company distributes through its API. It is the layer that interacts with them and establishes all the necessary processes to increase their availability and speed when it comes to providing information and guaranteeing scalability and flexibility. It is noteworthy to mention that the information used as raw material for APIs in certain sectors, such as the banking sector, are highly sensitive data.

This is the layer that defines all the services that will be used by the API; currently, most of these are REST services with REST APIs. Each of these services has a series of endpoints from which customers, partners or suppliers can connect to make requests. This process must comply with all safety requirements, guaranteed by authentication and authorization for these calls. This is where the security part resides.

The best possible scenario for an APIfied company is to have an API Manager to monitor the use of interfaces, control the volume of calls to these services, meet all the security requirements, etc. The end purpose is to achieve a Data as a Service business model (DaaS), where the APIs and everything associated with them are the core of all business operations.


API authentication processes can usually be achieved through three different and alternative procedures. The first and most common is by using an API Key, a single identifier with a code and password to identify the user who wants to connect to the API at any given time. The second option for accessing an API is through a key/value rule. The third possibility is to use OpenID Connect, an open protocol that forms part of OAuth 2.0 specifications and focuses on a unique website user authentication through the browser (with JavaScript) and native applications without having to store and manage passwords.

The most popular standard protocol used to manage distributed authorization is OAuth 2.0, which carries out the process through an access token that enables requests on a specific resource. In other words, each token determines what the user can do and which resources can be accessed. Therefore, there can be hundreds of different accesses, each with a different token, where each customer, partner or supplier receives only the information from the API they have permission for (scope).

Are you interested in financial APIs? Discover all the APIs we can offer you at BBVA

It may interest you