Recap and Practice

Key takeaways

• An API is a menu of requests one program offers another, and it's a contract: ask in the agreed way, get an answer in the agreed shape. Most API bugs are one side breaking that contract.
• JSON is how the answer comes back — keys and values, built from objects { } and arrays [ ], which nest. The data types are string, number, boolean, null, array, object.
• The string-vs-number trap (42 vs "42") and missing-vs-null are the most common shape bugs. You can read JSON now — check the type when something behaves weirdly.
• An API key is a password. Never ship it to the browser, never commit it to git, store it in environment variables. A leaked key should be rotated immediately.
• Watch for rate limits (429) and metered billing — AI-written loops that call a paid API with no pause are how you get a four-figure invoice. Read the pricing and set a budget alert first.

Try it

Find a free, no-key API in your browser — for example open https://api.github.com/users/octocat directly in a new tab. You'll see a raw JSON response. Read it like a form: pick out the objects { }, find an array if there is one, and name the type of three different values (which are strings? numbers? booleans? is anything null?). You've just done the exact sanity-check this chapter asks you to run on every API response the AI wires up.

Prompt of the chapter

I'm calling an API and I want to check the data shape myself, as a beginner.
Here are the real docs (example request + example response):
<paste the example request and JSON response from the API's docs>

- Before writing parsing code, show me the raw JSON the call returns and
  point out the keys, their types, and anything that might be null or missing.
- Confirm the keys my code reads actually exist in that response.
- Make sure the API key is read from an environment variable on the server,
  never hardcoded or sent to the browser.
- Tell me what happens if the call fails, times out, or hits a rate limit.