Application programming interface (API) calls power much of the modern internet. An Imperva report found that API calls account for 71% of web traffic.
With that ubiquity comes increased risk. According to Traceable’s 2025 State of API Security Report, 57% of organizations experienced an API-related data breach between late 2022 and late 2024, and 65% say generative AI poses a serious-to-extreme risk to API security, citing an expanded attack surface and data leakage through API calls as top concerns. Building secure, well-structured APIs matters more than ever.
Here’s more on what API calls are, how they drive ecommerce automation, and how to strengthen their security for you and your customers.
What are API calls?
Application programming interfaces (APIs) are the framework for how different software applications communicate, defining the rules and protocols for exchanging data. API calls are the actual messages these applications send to each other to retrieve data, trigger actions, and modify data.
In ecommerce, API calls send data between the platforms that power everyday transactions and automations. They pass order details to inventory and shipping systems, sync marketing tools with scheduled promotions, and update enterprise resource planning (ERP) and customer relationship management (CRM) systems with the latest data.
For Shopify users, APIs are woven into nearly every app in the Shopify App Store. When a payment gateway processes a transaction, for example, API calls communicate with connected apps managing inventory, customer data, and bookkeeping, keeping your entire tech stack in sync.
How API calls work
Most API calls follow a request-response cycle, where one system asks for data or an action and another system returns a result. The most common protocol used for API is HTTP, which works across three stages:
-
Request. A system sends a message to a server’s API endpoint, where it requests data or asks to trigger an action.
-
Processing. The API receives the request, uses security protocols to verify whether the request is authorized, and carries it out by retrieving, creating, or modifying data.
-
Response. The API responds, often including the requested data and a status code that indicates whether or not the request was successful—”200 OK” for success or the error code “404 Not Found.”
Each request includes a request line defining the action, a header with metadata and security credentials like an API key, and often a body containing submitted data.
These calls power everyday ecommerce transactions. When a customer enters their address at checkout, for example, API calls communicate with the payment processor to retrieve saved payment data or the correct sales tax for their state.
Types of API calls
Most APIs in ecommerce are built using one of two approaches: REST (representational state transfer) or GraphQL. Both are sets of rules for how API requests should be structured, and both typically run over HTTP, but they organize their operations differently.
REST is the older, more established approach. It treats each piece of data—a customer, an order, a product—as a resource with its own URL, and uses standard HTTP methods to act on those resources:
-
GET. Retrieves data from the server, such as customer details during checkout.
-
POST. Sends new data to the server, such as creating a customer account.
-
PUT/PATCH. Updates existing data—PUT replaces existing data entirely, and PATCH applies a partial update, such as updating inventory or modifying product descriptions.
-
DELETE. Removes data from the server, such as clearing outdated records.
GraphQL is a newer approach that sends all requests to a single endpoint and lets developers specify exactly what data they want in the request itself. This gives them more precision than REST over what data is returned—for example, pulling just a customer’s name and email instead of their entire profile.
Most GraphQL requests fall into two types:
-
Queries. Fetch data from the server, such as pulling customer records from a CRM.
-
Mutations. Modify data on the server, such as updating inventory or correcting a customer’s purchase history.
Many ecommerce platforms are increasingly using GraphQL, including Shopify, which is phasing out its REST API support in favor of its GraphQL Admin API.
What are malicious API calls?
Malicious API calls are requests sent to an API for harmful or unauthorized purposes, which can result in data breaches, account takeovers, phishing scams, DDoS attacks (denial-of-service attacks that flood a system with requests to disrupt service), injection attacks (attacks that feed malicious code into a system), and data scraping, among other data exposure threats.
In ecommerce, malicious API calls often target systems that handle checkout, payments, inventory, customer data, and app-to-app communications.
Ultimately, malicious API calls come from bad actors posing as authorized users. Strong API security relies on verifying API clients and denying requests that exhibit suspicious behavior.
How to keep APIs secure
The volume of API calls in ecommerce can make API security tricky, but there are a number of tools and approaches you can use to make and receive secure API calls and improve your overall API security.
Regulate your API traffic
Regulating API traffic keeps your system stable as request volume grows. Two common methods—rate limiting and timeouts—help control excessive calls and protect server performance. These settings are usually configured at points that first handle API requests, such as API gateways, and are applied with stricter traffic rules at more vulnerable access points, such as customer logins, checkouts, and admin-only webpages.
-
Rate limits. Cap the number of API calls a user can make over a given period. When exceeded, the API returns a 429 Too Many Requests response, directing the user to try again later.
-
Timeouts. Stop API calls that take too long, preventing one user from consuming resources and slowing the experience for others.
-
API gateways and reverse proxies. Entry points between API requests and APIs, where rules such as rate limits, timeouts, and request filtering can be applied before direct engagement with the API.
Optimal settings vary by platform and can be tested using security-focused API testing tools.
Manage access with API keys and access tokens
One of the most effective ways to secure an API is to control who can access it. API keys and access tokens act as credentials that verify an API request, ensuring only authorized users can reach your API endpoints:
-
API keys. Unique character strings that identify a specific user or application, used across multiple API calls.
-
Access tokens. These grant access to users temporarily, often through authorization frameworks like OAuth (used in many Shopify apps) or OpenID Connect.
Both are typically sent in the HTTP header, allowing the API to verify API clients before any data is retrieved or modified. Secure setups often issue different credentials for different apps, users, or environments, so permissions can be scoped precisely, and access can be updated or revoked as needed.
Like passwords, API keys can be stolen if not protected properly. When issuing them, warn users to keep API keys private and never share or post them where others might access them.
Test your APIs
Regularly test API calls and review responses for security flaws—weak authentication, exposed data, unexpected error behavior, and other vulnerabilities. API testing tools specialize in different areas:
-
Security. Identifying vulnerabilities to attack and data exposure.
-
Performance. Measuring load times across different platforms and environments.
-
Integration. Ensuring compatibility with connected systems, including other Shopify apps.
-
Functionality. Verifying APIs execute as intended.
Testing not only exposes vulnerabilities but also reveals how APIs behave under unexpected conditions. These tools are particularly useful for testing workflows essential to ecommerce, like checkouts, inventory syncing, and customer and order data processing. Common tests include sending sample requests, load testing, and reviewing API responses for flawed or overexposed data.
In addition to the categories above, testing tools vary widely in strengths and weaknesses. Some are built for larger enterprise tech stacks, while others specialize in narrower use cases or specific software environments.
API calls FAQ
What does API mean?
API stands for application programming interface. It refers to a set of rules and protocols that allow different systems to communicate, where an application can make an API call to another application to receive, send, or modify specific data.
What are the different types of API calls?
Common types of API calls include GET requests for requesting data, POST for submitting data, PUT or PATCH to update existing data, and DELETE to remove data. These are common for API calls using HTTP methods, usually in JSON or XML format. In APIs built with GraphQL, which also typically run over HTTP, the main query types are queries that request data, and mutations that create or modify data.
What triggers an API call?
An API call is triggered whenever one system needs another system to send data, modify information, or perform an action. Common triggers include user actions like submitting an order form or signing up for a newsletter, as well as automated actions such as syncing data between product orders, inventory, and shipping services.
