Types of APIs: Open, Internal, and Partner
Infographics often stack Open, Internal, and Partner APIs next to REST, SOAP, and GraphQL as if they were the same kind of thing. They are not. Audience and trust boundary answer who may call you. Style and protocol answer how the contract is shaped. Mixing the axes produces neat trees and wrong RFCs.
This guide separates those axes, walks each audience lane with real use cases, and shows when a style fits — or when the slide quietly mislabels a database driver as an "API." For protocol depth see [REST vs GraphQL vs gRPC](/blog/graphql-vs-rest-vs-grpc); for public-surface design see [REST API design](/blog/rest-api-design-best-practices).
Running example: a travel checkout — your web app (internal FE→BE), a partner airline inventory feed, and a public weather widget for trip planning.
Two axes, not one tree
Audience axis: Open (anyone who meets published terms), Internal (your org’s systems), Partner (named counterparties under contract). That axis decides auth strictness, SLAs, rate limits, and how painful a breaking change is.
Style axis: REST, SOAP, GraphQL, gRPC, and others. Any style can appear on any audience — GraphQL is popular on public product APIs; gRPC is almost always internal. The slide’s Open branch listing REST/SOAP/GraphQL is a sample of styles, not a rule that those styles are "open APIs."
Quick reference
- Open → public docs, keys or OAuth, versioning, abuse protection.
- Internal → network trust + service identity; still authenticate in production.
- Partner → contracts, mutual TLS or scoped OAuth, change windows.
- Style choice follows clients and ops — not the color of the branch on a poster.
Remember this
I can place an API on audience and style axes independently before arguing vendors.
Comparison at a glance
Skim before the deep sections. Upgrade surface area only when a new caller class appears — not because a tree has three pretty branches.
Open — public or developer-program callers; REST/GraphQL common; SOAP rare unless industry mandates it. Failure: scrape abuse, accidental PII exposure.
Internal — same company; FE→BE or service→service. Failure: treating the private network as enough security.
Partner — named B2B counterparty. Failure: sharing an open key instead of partner-scoped credentials.
Quick reference
- Who calls? → Open / Internal / Partner.
- What shape? → REST / GraphQL / SOAP / gRPC (see style guide).
- Cost rises with external blast radius: Internal → Partner → Open.
- Measure: auth incidents, breaking-change tickets, p95, and partner SLA breaches.
Remember this
I can name the cheapest audience lane for a caller and the failure mode of each lane.
Open APIs
An Open API (often called a public or developer API) is published for callers outside your employee network. Weather data, login with a third-party IdP, and product catalog fetch are classic cases. You still need keys, OAuth, quotas, and versioning — "open" means available under terms, not anonymous and unlimited.
REST dominates here: cacheable GETs, CDN edges, OpenAPI docs. GraphQL fits when many client apps need different field shapes from one product graph (feeds, custom dashboards). SOAP shows up when regulated industries still require XML envelopes and formal WSDL — bank transfers, insurance claims, government records — even when the marketing slide parks SOAP under "Open." Prefer REST/OpenAPI for greenfield public surfaces unless a partner mandate says otherwise.
Quick reference
- Use cases: weather, public login/OIDC, product fetch, maps, payments SDKs.
- REST — simple CRUD and CDN caching; default for public HTTP APIs.
- GraphQL — mobile/web with divergent screens; watch query cost and depth.
- SOAP — legacy and regulated XML contracts; do not choose it for fashion.
- Ship OpenAPI (or a GraphQL schema) + rate limits before the first blog post.
Remember this
I know Open APIs need published contracts and abuse controls — style is a separate choice.
Internal APIs
Internal APIs connect systems you operate: backend→backend payment sync, token verify between auth and checkout, stock update between inventory and cart. Frontend→backend login, profile fetch, and live search are also internal from the company boundary’s view — even though the browser is on the public internet; the contract is owned by one product team.
The slide’s third child — Service to Database (user insert, profile update, report query) — is usually not an API type. That path is a driver, ORM, or repository. Exposing the database as a network API to every service recreates a distributed monolith. Prefer a service owning the table and exposing a real internal HTTP/gRPC API; keep SQL behind that boundary.
Prefer gRPC or REST+JSON for service meshes; keep FE→BE on REST or GraphQL. Authenticate with mTLS or workload identity even on private networks — VPN membership is not a substitute for least privilege.
Quick reference
- Backend→backend: payment sync, token verify, stock update.
- Frontend→backend: login, profile, live search — still your contract.
- Service→database: data access layer, not a peer of REST/GraphQL.
- Internal ≠ insecure: rotate secrets, scope tokens, log callers.
Remember this
I can describe Internal APIs as owned contracts — and I will not call a DB driver an API type.
Partner APIs
Partner APIs sit between Open and Internal. A named counterparty — hotel chain, airline, payment gateway, affiliate network — calls you (or you call them) under a contract. B2B booking feeds, commission tracking, and health/finance/logistics data sharing belong here. Credentials are per-partner, often mutual TLS or OAuth client credentials with narrow scopes.
Change management is the real cost: partners cannot absorb weekly breaking changes. Version paths, publish deprecation windows, and measure partner-facing error budgets, not only your internal SLOs. Affiliate click analytics and product-link APIs look "simple" until dispute reconciliation needs immutable request IDs.
Quick reference
- B2B: hotel booking, airline data, payment gateway.
- Affiliate: product links, commission tracking, click analytics.
- Data sharing: health, finance, logistics — often compliance-heavy.
- Prefer contract tests and sandbox environments before production keys.
Remember this
I can justify Partner APIs with per-counterparty auth, SLAs, and change windows.
How to choose with evidence
Do not pick a branch by poster color. List caller classes for one product surface (browser, mobile, partner airline, public widget). For each class write: auth mechanism, expected QPS, PII exposure, and who pays when the contract breaks.
Promote Internal → Partner when a named company needs production access. Promote Partner → Open when you want a developer program and can staff abuse response. Pick REST vs GraphQL vs SOAP from [the style comparison](/blog/graphql-vs-rest-vs-grpc) only after the audience lane is clear — style will not fix a wrong trust boundary.
Quick reference
- Start Internal for the product you fully own.
- Add Partner when legal + support can name the counterparty.
- Add Open when docs, keys, and rate limits are funded.
- Track: auth failures, partner tickets, p95, and breaking-change count per quarter.
- If "Service to Database" appears on an architecture slide, redraw it as ownership + API.
Remember this
I can defend an audience lane with caller class, auth, and change-cost evidence — not a tree diagram.
Key takeaway
Open, Internal, and Partner describe who may call. REST, SOAP, GraphQL, and gRPC describe how the call is shaped. Keep database access behind a service that owns the data — that path is not a fourth "API type" on the audience tree.
Practice (20 min): For the travel checkout example, label five real endpoints Open / Internal / Partner. Rewrite one "service→database" arrow as a service API. Draft the auth header (or mTLS note) you would require for the airline partner call — no framework shopping list required.
Related Articles
Explore this topic