---
title: Integrating APIs and Web Services
description: APIs and Web Services are the heart of applications and system development. They enable us to re-use tried and trusted code across multiple applications and application formats and providing access for partners into internal systems.
component: developer-resources
page_id: developer-resources:application_integration_guide:integrating-apis-web-services
canonical_url: https://docs.pingidentity.com/developer-resources/application_integration_guide/integrating-apis-web-services.html
revdate: September 30, 2020
section_ids:
  rest-apis: Rest APIs
  soap-web-services: SOAP Web Services
---

# Integrating APIs and Web Services

APIs and Web Services are the heart of applications and system development. They enable us to re-use tried and trusted code across multiple applications and application formats and providing access for partners into internal systems.

APIs and web services are now a common method of accessing and exposing an application's functionality and therefore a critical interface to secure.

## Rest APIs

REST-based services use HTTP verbs and JSON to communicate actions. As an example, an API may represent a "product". The following REST API calls may be performed:

* GET <https://api.company.com/product> - get all products

* GET <https://api.company.com/product/{product_id}> - get a specific product

* POST <https://api.company.com/product> - create a new product

Because they use the HTTP protocol, authentication is usually performed via HTTP headers using the authorization header. The most common protocol used to authorize access to REST APIs is the OAuth 2.0 protocol.

![REST API overview](_images/vbn1601508114610.png)

## SOAP Web Services

SOAP-based services are XML based and come with a standard security mechanism (WS-Security protocol). This allows for a security element to be presented as part of a SOAP web services call. There are multiple profiles that define these standards (i.e. the username profile which uses a username and password security token or the x509 profile that uses a certificate as a security token) as an authentication token.

The WS-Trust standard introduces the concept of a Security Token Service (STS) that the web services client and the web services provider can lverage to broker the authentication. In the WS-Trust model, a security token (i.e. a SAML assertion) is issued by the STS for the web service client. This token is passed to the web services provider during the service call. The provider will validate this token against the STS and if valid, allow access to the web services call.

![API SOAP overview](_images/qjy1601508115746.png)