localwebadvisor
WIKI← Wiki home

What Is an API? A Plain-English Guide for Business Owners

By FayUpdated Jul 9, 2026EVERGREEN
⚡ THE ANSWER

An API (application programming interface) is a structured way for one piece of software to request data or actions from another. Your booking system, payment processor, and CRM all expose APIs so other tools can talk to them automatically. Most modern APIs use REST conventions and exchange data as JSON over the same HTTPS connections websites use. For a small business, APIs are what make integrations possible — online payments, calendar sync, automatic invoicing — without manual re-entry.

Share of web traffic
API calls make up the majority of web traffic — Akamai has measured it at over 80% (Akamai)
Dominant style
REST remains the most widely used API architecture among developers (Postman State of the API)
Scale of API businesses
Stripe, an API-first payments company, processed around $1 trillion in volume in 2023 (Stripe)
Integration ecosystem
Zapier connects 6,000+ apps entirely through their public APIs (Zapier)

The restaurant menu analogy, done properly #

You have probably heard that an API is like a restaurant menu, but the analogy is usually botched. Here is the full version. The kitchen is another company's software — Stripe's payment system, Google's calendar. You cannot walk into the kitchen; that would be chaos and a security nightmare. The menu is the API documentation: a fixed list of things you may request, exactly how to phrase each request, and what you will get back. The waiter is the API itself: it carries your order in, carries the dish out, and refuses orders that are not on the menu. Crucially, the menu is a contract. The kitchen can renovate, change suppliers, or hire new chefs, and your order still works, because the menu stayed the same. That contract is the entire point: two systems built by strangers can cooperate reliably without ever seeing each other's internals.

What are REST and JSON, really? #

REST is a set of conventions for organizing an API around URLs and standard verbs. Each thing gets an address — /customers, /appointments/42 — and you act on it with HTTP methods: GET reads, POST creates, PUT or PATCH updates, DELETE removes. Nothing exotic; it is the same protocol your browser uses to fetch web pages, which is why REST APIs work everywhere. JSON is the format the data travels in: human-readable text made of labeled values in curly braces, like a structured index card. A customer record might read: name, then the name; email, then the email; visits, then a number. Developers like JSON because every programming language can read and write it, and because a non-programmer can squint at it and understand it. When a proposal says a service has a REST JSON API, it means: standard, well-understood plumbing that any competent developer can integrate with.

A real request in ten lines #

Here is an actual API call — the kind of code running behind a Book Now button. It asks a booking system to create an appointment and waits for the confirmation. Notice how readable it is: a URL, a verb, an identity, and the details of the request. The response comes back as JSON too, typically including an ID your site can show the customer as a confirmation number. Every integration on your website — payments, maps, reviews, scheduling — reduces to variations of these few lines.

Creating a booking via a REST API
const res = await fetch("https://api.bookingapp.com/v1/appointments", {
  method: "POST",
  headers: {
    "Authorization": "Bearer sk_live_xxx",
    "Content-Type": "application/json"
  },
  body: JSON.stringify({
    service: "drain-cleaning",
    start: "2026-07-15T09:00:00-05:00",
    customer: { name: "Ana Ruiz", phone: "512-555-0147" }
  })
});
const booking = await res.json(); // { id: "apt_8231", status: "confirmed" }

Real business examples you already rely on #

APIs are already woven through a typical local business, often invisibly. Payments: when your website charges a card, it calls Stripe's or Square's API; the card number never touches your server, which is what keeps you out of the hardest parts of PCI compliance. Bookings: an online scheduler calls your calendar's API to check availability and then writes the appointment back, so double-bookings become impossible. CRM sync: a new contact-form lead can be pushed into your CRM via its API the second the form is submitted, instead of a staff member retyping it Monday morning. Reviews: your site can pull your latest Google reviews through an API and display them automatically. Accounting: invoices flow from your booking tool into QuickBooks the same way. Each integration replaces a piece of manual re-entry — and manual re-entry is where errors, delays, and lost leads live.

API keys and security #

An API key is a long secret string that identifies who is calling — a password for software. When your site calls Stripe, the key tells Stripe which account to act on and what it is allowed to do. Three rules keep keys safe. First, secret keys belong on a server, never in code the browser can see; anything shipped to the browser is public, full stop. Second, use the least privilege available — most providers offer restricted keys that can, say, create charges but not issue refunds, so a leaked key does bounded damage. Third, rotate keys when staff or vendors leave, exactly as you would change the locks. Also insist that every API call travels over HTTPS, which encrypts it in transit. When we audit small-business sites, secret keys pasted into front-end JavaScript is among the most common serious mistakes we find — quick to fix and very much worth fixing.

Webhooks vs polling: how systems stay in sync #

There are two ways for your software to learn that something happened in another system. Polling means asking repeatedly: every five minutes, your system calls the API and asks whether there are new orders. It is simple but wasteful — thousands of calls a day that mostly return nothing — and always a little stale. Webhooks reverse the direction: you give the other system a URL, and it calls you the instant something happens. Payment received, booking canceled, form submitted — a webhook fires within seconds, carrying the details as JSON. It is the difference between phoning the post office hourly and having the carrier ring your doorbell. Most modern platforms support both, and good integrations use webhooks for instant reactions (send the confirmation text now) with occasional polling as a safety net, since webhooks can very occasionally fail to arrive and well-built systems reconcile the difference.

What do API integrations cost? #

Costs come in two layers: usage fees and development time. Usage is often cheap or free at small-business volume — many APIs offer free tiers, payment APIs charge per transaction (roughly 2.9% plus 30 cents is typical), and services like Google Maps bill per thousand requests with monthly credits that small sites rarely exceed. Development is the bigger line. A no-code connection through Zapier or Make runs $20-$100 per month and an afternoon of setup. A straightforward custom integration — form to CRM, booking to calendar — is typically a few days of development, commonly $1,000-$3,500. Deep two-way syncs with error handling, retries, and reporting run $5,000-$15,000+. Budget a little for maintenance too: APIs version and deprecate, so expect a few hours a year of updates. Our free Cost Calculator includes integration scenarios if you want to model a specific stack before committing.

What can go wrong with APIs? #

APIs fail in predictable ways, and good integrations plan for all of them. Rate limits: providers cap how many calls you can make per minute; exceed it and requests get rejected, so well-written code slows down and retries automatically. Downtime: the other system will occasionally be unavailable, and your integration should queue work and retry rather than silently drop a booking. Versioning: providers release v2 and eventually retire v1 — usually with a year or more of notice, but only if someone is reading those emails. Breaking changes: a field gets renamed and an unmonitored integration starts failing quietly, which is worse than failing loudly. The fix for all of these is the same: logging, alerts when error rates rise, and a human who is nominally responsible. When we build integrations, monitoring is part of the deliverable, because an integration nobody watches is a slow-motion outage.

When to get help #

You can go a long way without a developer: Zapier-style tools cover the common form-to-CRM and order-to-spreadsheet patterns for a modest subscription. Bring in professionals when the integration touches money, when data must sync in both directions without conflicts, when volume makes per-task automation pricing painful, or when a failure would cost you customers rather than convenience. Our web app development service builds custom integrations with the unglamorous parts included — retries, logging, alerting, and documentation your next developer can read. And if you are inheriting a site and have no idea what it is already connected to, our free Website Grader flags the third-party services a page is calling, which is a fast way to map your current dependencies before adding new ones.

FAQ

Is an API the same as an app?

No. An app is software people use directly, with screens and buttons. An API is an interface other software uses — no screens, just structured requests and responses. Many products are both: QuickBooks is an app for your bookkeeper and an API for your invoicing integration at the same time.

Do I need to know how to code to use APIs?

Not for common cases. Tools like Zapier and Make connect thousands of apps through their APIs with a point-and-click interface. Coding becomes necessary when you need custom logic, two-way sync, high volume, or connections those tools do not offer — that is when a developer writes against the API directly.

Are APIs safe for handling payments?

Yes — safer than the alternatives, when used correctly. Payment APIs from Stripe or Square are designed so card numbers go straight from the customer's browser to the processor and never touch your website's server, dramatically reducing your compliance burden. The main risks are implementation mistakes, like exposing secret keys in front-end code.

What is the difference between an API and a webhook?

Direction. With an API, your system asks another system for data or actions. With a webhook, the other system proactively notifies yours the moment something happens, by calling a URL you provide. Webhooks are how you get instant reactions — a confirmation text seconds after payment — without constantly asking.

What does REST stand for?

Representational State Transfer — a term from a 2000 dissertation by Roy Fielding. The name matters less than the idea: organize an API around addressable resources and standard HTTP verbs so any developer can understand it quickly. When vendors say RESTful, they mean the API follows these widely known conventions.

How much does it cost to build a custom API integration?

Typical ranges: a simple one-way connection like form-to-CRM runs $1,000-$3,500; a two-way sync with error handling and monitoring runs $5,000-$15,000 or more. Add small ongoing costs for API usage fees and a few maintenance hours a year as providers update their APIs.

Was this helpful?