Last Updated Jul 13, 2021

Table of Contents:

What is an API Endpoint?

An API endpoint is the point where the API and the rest of the internet meet and communicate. From the API's perspective, this endpoint is "exposed" to requests from clients. It is also exposed to potentially malicious traffic, so endpoint security is an important concern. The API endpoint takes requests from clients (for example, GET or POST requests) and passes them to a server. Endpoints specify where resources can be accessed.

Endpoint Syntax

Endpoints are called by their Universal Resource Identifiers, or URIs, and Uniform Resource Locator, or URLs, which specify the location and how to access the resource.

API Endpoint Syntax Example

Let's say we want to verify Value Added Tax (VAT) with our[VAT Validation and Rates API. The call to the API endpoint would look this: `curl 'https://vat.abstractapi.com/v1/validate/?api_key={YOUR_API_KEY}&vat_number=SE556656688001'` What do we see in this endpoint?

  • We have the URL `https://vat.abstractapi.com/` that tells us where the endpoint is (`vat.abstractapi.com`), and how to access it (`https`).
  • `/v1/` is the version of this API.
  • `/validate/` is the actual endpoint we are calling. If we wanted to calculate VAT rates we would call `/calculate/`, or if we wanted to see up-to-date VAT rates based on category, we would call `/categories/`.
  • `?api_key={YOUR_API_KEY}` is the API key you received from Abstract API.
  • `&vat_number=SE556656688001` is a required request parameter. This is the actual VAT number we're passing through the `/validate/` endpoint to be verified.
  • `&` is joining our individual query parameters into one query string.  

Calling this API Endpoint

To validate VAT number `SE556656688001`:

curl 'https://vat.abstractapi.com/v1/validate/?api_key={YOUR_API_KEY}&vat_number=SE556656688001' 

We should get a JSON file back with the information we requested:

    "vat_number": "SE556656688001",
    "valid": true,
    "company": {
        "name": "GOOGLE SWEDEN AB",
    "country": {
        "code": "SE",
        "name": "Sweden"

What do we see in this GET response?  

  • `vat_number` is the number we requested information for.
  • `valid` is a boolean, and tells us this is a valid VAT number.
  • `company`, `name`, and `address` tell us the registration information of this business.
  • `country`, `code`, and `name` tell us the country this VAT info is associated with. For more information on two-letter country codes, go [here](wikipedia/ISO_3166-1_alpha-2).
  • `/n` prints a new line.

Endpoint Security

An important part of exposing endpoints to clients is ensuring they're secure, because they allow requests from the outside world. APIs generally ask for an email address or signup to send you public and private API keys to use their services, at a minimum. They may go further and use an OAuth authentication server, or even HMAC, but there will likely be some method in place to authenticate users. Other security methods include always using HTTPS, one-way password hashing, strong authentication, rate limiting, validating input, and enforcing IP address filtering.  


The API endpoint is the location a developer sends requests to interact with the API, and the point the API owner must expose to allow developers to use it. The REST API contract governs how data may be exchanged between clients and servers, and it is here where that contract is most important.

Try Abstract's suite of free API's, trusted by 100,000+ developers.
Get started