Every API term, decoded.

Application Programming Interface. A contract that lets one program ask another for data or to do work — usually over HTTP.

A long secret string the API issues to you. You send it in every request (in a header or URL param) so the API can identify and rate-limit you.

Short-lived credential issued after a successful OAuth flow. Usually a JWT. Expires; refreshed with a refresh token.

A request that doesn't return the answer immediately — instead the API returns an ID and you either poll a status endpoint or wait for a webhook.

Token sent in Authorization: Bearer <token> header. Whoever holds it can call the API — keep it secret.

Username and password sent base64-encoded in Authorization: Basic …. Simple, but only safe over HTTPS.

Strategy for retrying failed requests with increasing delay (e.g. 1s, 2s, 4s) to avoid overwhelming a struggling API.

Cross-Origin Resource Sharing. Browser security model that requires the API to set an Access-Control-Allow-Origin header for your domain.

Command-line HTTP client. Every API docs page on FreeAPIHub starts with a curl example because it works everywhere.

Response header that tells your client how long it can reuse the previous response without asking the API again.

API endpoint still works but will be removed. Look for a Deprecation header or a 'v1' → 'v2' version note.

Pattern for limiting how often you call an API — e.g. waiting 300ms after the user stops typing before sending a search request.

A specific URL the API answers on, like /users/123 or /search?q=…. APIs have many endpoints; each does one thing.

Server-assigned fingerprint of a response. Send it back with If-None-Match and the API returns 304 if nothing changed — saving bandwidth.

Quota of requests the API gives you without payment. On FreeAPIHub we list the exact number (e.g. "60 req/min, no credit card").

Free with a paid upgrade path. We tag these distinctly from 'fully free' listings.

Alternative to REST. One endpoint, you describe exactly which fields you want, server returns just those. Great for mobile clients.

Binary-format RPC over HTTP/2. Fast for service-to-service; harder to debug than REST. Used by big infra APIs.

Verbs: GET (read), POST (create), PUT/PATCH (update), DELETE (remove). REST is built on these.

HTTP + TLS encryption. Required for any API handling credentials. We filter listings by HTTPS-only on the directory.

Property where running the same request twice has the same effect as once. POST is not idempotent by default; pass an Idempotency-Key header.

API only accepts requests from listed IP addresses. Common on enterprise free tiers.

JavaScript Object Notation. The default API response format today — strings, numbers, lists, objects. Human-readable.

JSON Web Token. A signed, base64-encoded blob containing claims (user ID, expiry). Used as access tokens in modern APIs.

Time between sending the request and getting the response. Quoted as p50 / p95 / p99 — the median, 95th and 99th percentile.

Client opens a request and the server holds it open until something happens. Cheaper than WebSocket; higher latency than webhooks.

Mutual TLS. Both client and server authenticate with certificates — no password, no token. Common in banking APIs.

Standard for delegated authorization. Lets a user grant a third-party app limited access to their data without sharing the password.

Machine-readable description of an API — its endpoints, params, response shapes. Tools like Swagger UI render docs from it.

Splitting a long list across multiple requests using page/limit params or a next_cursor.

The body of an HTTP request or response. For POST/PUT, this is the JSON you send.

Cap on requests per time window (e.g. 60/min). Exceeding it returns 429. Check the X-RateLimit-Remaining header.

Representational State Transfer — most common API style. Uses HTTP verbs (GET, POST, PUT, DELETE) over plain URLs.

Long-lived credential used only to fetch a new short-lived access token. Stays on your server, never exposed to the browser.

Software Development Kit. A language-specific wrapper around the API — handles auth, retries and types so you don't have to.

3-digit HTTP response number. 2xx = success, 3xx = redirect, 4xx = your fault (401 unauth, 404 not found, 429 rate-limited), 5xx = their fault.

Server-Sent Events. One-way stream from server to client over plain HTTP. Used by AI APIs to stream tokens.

API slowing or rejecting requests to enforce rate limits. Returns 429 with a Retry-After header.

Transport Layer Security — the encryption layer behind HTTPS. Modern APIs require TLS 1.2+.

The address of an API endpoint. URL is the full thing with scheme; URI is the broader term.

The API calls you when something happens — POSTs JSON to a URL you provide. Cheaper than polling.

Bi-directional persistent connection. Use it for live updates, chat or trading data.

Human-friendly data format. Most OpenAPI specs are written in YAML rather than JSON.