//pragmatic leaders

Types of API

Reading time
5 min
Section
PM Foundations (Legacy)
5 min left0%
types of api0%
5 min left
APIs are the business layer’s handshake across teams and companies — not just technical plumbing.
Talvinder Singh, from a Pragmatic Leaders session on APIs

APIs are not just technical interfaces. They are the contracts that enable different teams, products, and companies to work together. The actual job of an API is to expose business capabilities securely and efficiently — to the right audience, with the right permissions.

If you cannot classify APIs clearly, you will struggle to design integrations and partnerships that scale. This lesson gives you the vocabulary and examples you need to spot API types and understand their strategic implications.

The three access-based API types: open, partner, and internal

APIs can be categorized primarily by who is allowed to use them. This access model shapes how they are designed, secured, and evolved.

Open APIs (Public APIs)

Open APIs are publicly accessible without special permission. They are designed for external developers, partners, or users to integrate with your product or service freely.

  • They provide a communication channel between your internal systems and the outside world.
  • Open APIs often power B2C apps or developer platforms.
  • Example: Google Maps API allows any developer to embed maps or location data into their apps.

Open APIs must be carefully designed for security and scalability because anyone can use them. They often include rate limits and require API keys but do not restrict who can apply for access.

Partner APIs

Partner APIs are exposed only to strategic business partners. They are not public and require special onboarding and permission.

  • Access is controlled through a workflow validation process.
  • These APIs enable close collaboration with B2B customers or trusted B2C partners.
  • Example: A fintech company might expose a partner API to integrate with a bank’s systems securely.

Because partner APIs are for a limited audience, they can expose richer, more sensitive functionality. The relationship between the API provider and consumer is often contractual and governed by SLAs.

Internal APIs (Private APIs)

Internal APIs are used within an organization, between internal teams or services.

  • They improve productivity by allowing teams to reuse existing services.
  • Often not documented for external consumption.
  • Used across various app types: application-to-application (A2A), business-to-employee (B2E), business-to-business (B2B), and business-to-consumer (B2C).
  • Example: An e-commerce platform’s payment processing API used only by its internal order management and checkout systems.

Internal APIs help decouple teams and speed up development but require strong governance to ensure stability and consistent versioning.

// thread: #product-api — Product team discussing API access models
Anjali (PM)We need to decide if the new billing API should be open or partner-only. Thoughts?
Rahul (Engineering)Partner API makes sense — we want to onboard select vendors, not open it to everyone.
Neha (Security)Agreed. We’ll implement OAuth scopes and a strict onboarding workflow.
Anjali (PM)Perfect. That will protect sensitive financial data while enabling integrations.

The three functional API types: data, external service, and composite

Beyond access, APIs can be categorized by their function — what they expose or enable.

Data APIs

Data APIs provide CRUD (Create, Read, Update, Delete) access to data sets behind applications.

  • They expose internal services to external or internal consumers.
  • Often reflect complex internal processes in a simplified interface.
  • Examples: Google Data APIs expose data like calendar events or contacts; SOAP web services are a traditional form of such APIs.

These APIs are critical for building integrations that require direct data manipulation or retrieval.

External Service APIs

External service APIs wrap third-party services that add value to your product.

  • Your product embeds these services via their APIs.
  • Examples include SendGrid for transactional emails, Stripe for payment processing, or HyperTrack for location tracking.
  • These APIs are not built by your team but are essential building blocks.

They allow your product to focus on core value while outsourcing specialized functionality.

Composite APIs

Composite APIs combine multiple data or service APIs — both internal and external — into a single interface.

  • They orchestrate calls to several APIs and aggregate the results.
  • Example: Salesforce’s account creation process involves internal data APIs and external services to provision accounts.
  • Composite APIs simplify client interactions by exposing a higher-level operation.

They are useful when a client needs a specific business process that spans multiple systems.

// scene:

API design review at a SaaS startup in Bangalore

You (PM): “The account onboarding flow is complex — it calls our internal user API, the external credit check service, and the partner provisioning API.”

Priya (Engineering Lead): “We should build a composite API to wrap these calls. It will reduce client complexity and improve reliability.”

Ravi (CTO): “We also need to monitor each underlying API’s latency to ensure the composite API meets SLAs.”

You (PM): “Let’s define the success criteria around end-to-end onboarding time and error rates.”

// tension:

Balancing complexity and reliability in API design

How Indian companies use API types in practice

Indian SaaS and fintech companies illustrate these API distinctions clearly:

  • Open APIs power platforms like Razorpay, allowing developers to integrate payments into their apps with minimal friction.
  • Partner APIs are common in B2B fintech, where banks and payment gateways exchange sensitive data securely.
  • Internal APIs enable companies like Swiggy and Flipkart to decouple their logistics, catalog, and payments teams for faster iteration.

Understanding the API type helps you anticipate security requirements, user onboarding flows, and monitoring needs.

The technical API types you should know

While access and function are primary, APIs also differ by protocol:

  • SOAP: An older, XML-based protocol with strict standards, often used in enterprise integrations.
  • REST: The dominant modern style, using HTTP and JSON, valued for simplicity and scalability.
  • XML-RPC / JSON-RPC: Remote procedure call protocols using XML or JSON payloads.

Knowing these helps you communicate effectively with engineering and understand integration complexity.

Field exercise: Categorize your product’s APIs

// exercise: · 10 min
API Type Audit

List all the APIs your product currently exposes or consumes. For each, answer:

  1. Who uses this API? (Internal team, partner, public developers)
  2. What does the API do? (Data access, external service integration, composite operation)
  3. What protocol does it use? (REST, SOAP, RPC)
  4. What are the security and onboarding requirements?

This exercise will clarify your product’s integration landscape and help identify gaps.

Test yourself: The API access decision

// learn the judgment

You are PM at a Series A fintech startup in Mumbai. The engineering team proposes exposing a new payments API. The CEO wants it open to attract developer adoption quickly. The legal team warns about compliance risks. You have two weeks to decide the API access model.

The call: Should you make the API open, partner-only, or internal? How do you justify your decision to stakeholders?

Your reasoning:

// practice

You are PM at a Series A fintech startup in Mumbai. The engineering team proposes exposing a new payments API. The CEO wants it open to attract developer adoption quickly. The legal team warns about compliance risks. You have two weeks to decide the API access model.

Your task: Should you make the API open, partner-only, or internal? How do you justify your decision to stakeholders?

your reasoning:

0 chars (min 80)

Where to go next