Your app needs to talk to things. The payment processor Stripe. The weather service giving you current temperature. Your own database. OpenAI's models. Each of these lives on separate servers, written in different programming languages, with different ways of storing and formatting their data.
How do they talk to each other? Through an API.
The waiter in the restaurant
The classic way to explain an API is the waiter analogy, and it holds up. You're sitting at the table — that's the frontend. The kitchen — that's the backend — has everything you want. You can't walk into the kitchen yourself and take things. You might not even know exactly how the kitchen is organised. The waiter is the messenger who knows how to talk to both sides.
You order. The waiter carries the request to the kitchen in a format the kitchen understands. The kitchen produces the response. The waiter carries it back to you.
An API call works exactly the same way. Your code sends a request to a specific address, a URL. The server on the other side receives it, interprets what's being asked, fetches or creates data, and sends back a response — almost always as JSON, a structured text format both sides can read.
REST: four basic operations
The most common API format is called REST. It's about mapping four fundamental data operations to HTTP methods you already know from the web.
`GET` fetches data. `POST` creates new data. `PUT` or `PATCH` updates existing data. `DELETE` removes data. That's all. Every API you've ever encountered — Stripe, Spotify, Supabase, OpenAI — is variations on these four operations against different URLs.
Keys and secrets
Most external APIs require you to identify yourself. That's where API keys come in. An API key is a long string of characters the service gives you when you sign up. It functions as a password and an identity check in one.
The most important thing to know about API keys: they should never end up in your code. Not in JavaScript files, not in your Git history, not in a README. An exposed key means someone else can use it against your bill.
The right place for them is environment variables: configuration files that exist on the server but are never included in the code that gets published. Vercel handles this through a simple interface in project settings.
The API you build yourself
Until now we've talked about external APIs you call. But your Next.js app can also expose its own API.
A file in the `app/api/` folder with a couple of exported functions is all it takes. It can receive requests from your frontend, from mobile apps, from third-party services that need to notify you about events. Stripe, for example, sends a webhook to your API endpoint every time a payment has been processed.
APIs are the fundamental unit of how modern software communicates. Every time Claude Code asks OpenAI for a response, it does so via an API call. Every time you save an order in Supabase, that's an API call. The web is a large layer of services talking to each other this way.