Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Who talks to API (REST) ? Web client vs server?

Tags:

rest

architecture

webserver

mobile

api

In my app architecture, I have the following components:

  • Mobile client
  • Api (REST)
  • Web client
  • Web server (for the web client)

The mobile is talking to the api, that is obvious. However, I was wondering which one of the web components should talk to the api.

At the beginning, I started making it server-side. And then I realized the server is simply calling the api, which the client can do as well - so why not delegate those calls to the client? that is:

  1. request: client -> server -> api
  2. response: api -> server -> client

we get:

  1. request: client -> serevr + client-> api
  2. response: server -> client, api -> client.

It has the advantage that our server has to make fewer network calls, hence reduced bandwidth. Now the client may need a bit of increased bandwidth, but it doesn't need to deal with all the users. Also, the client overall loading time isn't increased (I think?), since the client will have to wait for the api response anyway; whether it comes through the server or not.

Hence currently, my web client is talking directly to the web. However, it feels a bit weird, specially regarding authentication.

  1. Is that the right choice?
  2. Is there a better choice between the two?
  3. Are there more advantages or disadvantages for this choice
like image 362
saw Avatar asked Oct 19 '22 23:10

saw

1 Answers

Configuring your client to operate through an intermediate web server is not a bad setup and probably preferable.

If your web server is just serving static content and piping API requests to the backend then it can probably support the traffic of many API instances. This means you could add capacity by having multiple API instances and have the web server load balance across them.

In addition you can reduce the attack surface of your hosting environment by having the API only accessible on the internal network and route calls through the publicly accessible web server. This way you can also choose how much of the API interface to publish.

And lastly you can handle authentication in one place. If authentication is handled by the web server, and it checks the authentication of each call before routing it to the API server, your API server has one less thing to worry about (this assumes your API server is only accessible on your internal network as above.) You can even implement authentication schemes at this point so that users only have access to a subset of the API server interface.

like image 134
allen-smithee Avatar answered Oct 28 '22 20:10

allen-smithee
Sign in to Comment

Related questions

Using Loader in API 8
Posts scheduled via Graph API frequently do not get published
What is the simplest way to display Instagram follower count
Soundcloud Authentication and API
Should an API consume itself or call the database directly for other resources?
Node.js: How to test my API, mocking a third party API called by my API
What happens if I delete older Android API levels and keep only latest one
Rest API Best Practices: Multiple parameters search filter API implementation
Google Drive API, uploading file [Python]
Adding tags to tumblr post via API
Vulnerability with Facebook token hijacking
RubyOnRails kind of Single Sign On strategy for devise
Token Authentication Logout: should I delete the token?
Failed to connect: 0 push notification
Google Dictionary API not working--is there another solution? [closed]
Linkedin API - Search post by keyword
How to integrate batch requests in a Rails API?
YouTube Data API v3 does not support 500 characters for ‘tags’ property of Video.snippet resource
How to keep a python 3 script (Bot) running
Facebook API error code 191 [duplicate]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!