No Stupid Questions

API Basics
For People Who Hire People

You've used AI tools. Now learn how the apps you use every day actually talk to each other — and how to make them do new things for you.

⏱ ~20 min read 🧠 4 concepts 🛠 Hands-on with GitHub ✅ Knowledge check included
Concept 01

What's an API?

An API is how one piece of software asks another for something. If you've ever ordered from a restaurant menu, you already understand the idea.

The restaurant analogy

You sit down at a restaurant. You don't walk into the kitchen and start cooking — you read the menu, tell the server what you want, and wait. The kitchen does the work. The server brings back the dish.

An API is the menu. The kitchen is the server (where the data lives). You're the customer. The server (the API) takes your specific request and brings back exactly what you asked for — no more, no less.

🧾
Two words to know

Request — what you ask for. Response — what comes back. That's the whole loop. Every API call is just request → response.

💻 You (or your app)
GET /users/octocat
{ name: "The Octocat" }
🏢 GitHub (their server)
Click to send a request

Why this matters for recruiters

Every recruiting tool you use — Ashby, Greenhouse, BrightHire, LinkedIn Recruiter — is built on APIs talking to each other. When you click "Move to Job Fit" in your ATS, your browser is making an API call. Understanding what's happening under the hood unlocks two things:

Concept 02

Make Your First Call

Enough theory. Let's actually do it. We'll use GitHub's public API — no signup, no key, just type a username and see real data come back.

Anatomy of an API call

Every API call has a few parts. Here's what we're about to send to GitHub:

GET https://api.github.com/users/octocat
Method — the action (GET = fetch data)
Base URL — where the API lives
Path — which resource you want
💡
GET is the verb

There are other verbs (POST to create, PUT to update, DELETE to remove), but GET is by far the most common. 90% of what a recruiter would do with an API starts with GET.

GEThttps://api.github.com/users/octocat
📦 Raw JSON Response
Click "Get Profile" to see real data come back from GitHub
✨ Parsed (the same data, prettier)
An app would turn the raw JSON into something humans read

🔓 Wait — where's the API key in this demo?

There isn't one. That's the unusual part, and it's worth explaining so you don't think this is how all APIs work.

GitHub's public profile data is exactly that — public. The same data you can see by going to github.com/octocat in your browser. So GitHub lets anyone read it without authentication. Your browser doesn't have a "key" when you visit github.com; this API call works the same way.

That's why this demo runs in your browser with zero setup. It's the friendliest possible "first API call."

But most APIs aren't like this. Anthropic, OpenAI, Ashby, BrightHire, Slack — all require a key on every request. Even GitHub requires one as soon as you want to do anything beyond public reads (search private data, post comments, etc.). The reasons are universal:

Concept 04 covers what keys look like, where they come from, and the safe ways to handle them. For now, just know: this demo is the exception, not the rule.

📦
What you just got back is JSON

JSON (JavaScript Object Notation) is the format almost every modern API returns. It's structured data — key-value pairs like "name": "The Octocat" — that apps can read and use. The "raw JSON" panel shows exactly what GitHub sent. The "parsed" panel shows what that data looks like once you pull out the pieces you care about. Same data, two views.

The mental shift

You just did programmatically what a recruiter normally does by going to github.com/octocat in a browser. The browser does the same call under the hood. The difference: you can now do this at scale — fetch 50 profiles in a Zap, paste a list into a Claude conversation, automate the whole thing.

Concept 03

Going Deeper — Parameters & Search

Most APIs do more than fetch one record at a time. Parameters let you filter, search, and combine — which is where the real sourcing power shows up.

Parameters: tell the API exactly what you want

Parameters are extra instructions you tack onto the URL. They come after a ?. Multiple parameters are joined with &. For example:

GET https://api.github.com/search/users?q=language:Python+location:Portland
Method — GET
Base URL
Path — search users
Parameters — what you're searching for
🎯
Sourcing in one URL

That URL above? It's basically "find me Python engineers in Portland." No sourcing tool needed. The API is the sourcing tool.

GEThttps://api.github.com/search/users?q=location:Portland
🔍 Top Results
Pick a language and location, then click Search

What you've unlocked

One API endpoint, one URL, and you can:

This is the same logic LinkedIn Recruiter Search uses — boolean filters narrowing a giant pool down to a list of relevant candidates. Except the GitHub version is free, returns more depth on people's actual work, and you can automate it.

Concept 04

The Real-World Stuff

Four things you'll trip over the first time you use an API for real: API keys, rate limits, errors, and sensitive data. Knowing these up front saves you hours of confusion later.

🔑 API keys — your identity badge

GitHub's public endpoints don't require a key, which is why this module works without one. But most APIs you'll use professionally (Ashby, BrightHire, Anthropic, OpenAI, Slack) require a key — a long random string that proves who you are and what you're allowed to do.

Think of it like a hotel key card. It's tied to you, it controls what rooms you can enter, and if you lose it, anyone holding it can walk in pretending to be you.

Where API keys come from

Every API provider has an "API keys" or "Developer settings" section in their dashboard. You log in, click a button, and they generate a unique key for you. Here's roughly what that looks like:

console.your-api-provider.com
Settings → API Keys
Your API Keys
Keys let your code talk to our API. Treat them like passwords — never share, never commit, never paste in chat.
Name Key (last 4) Created Status
Production Zap ···f3Lq Jan 12, 2026 Active
Old Slack Bot ···9Aab Nov 04, 2025 Revoked
⚠️ This is the only time you'll see the full key Copy it now and store it somewhere safe. We can't show it to you again — only the last 4 characters.
👀
The "shown once" pattern is universal

Anthropic, OpenAI, GitHub, Ashby — almost every provider only shows the full key one time, at creation. After that, only the last 4 characters are visible. If you forget where you stored it, you have to generate a new one and update everywhere it was being used. Store it carefully the moment you create it.

What real keys look like

Different providers use different formats, but they all share a recognizable prefix that tells you which provider it came from. Some examples (these are fake, but the format is real):

Anthropic sk-ant-api03-jXh9Vk0d2NfPpQqRrSsTtUuVvWwXxYy_AaBbCc-EeFf_GgHh1234567890
OpenAI sk-proj-AbCdEfGhIjKlMnOpQrStUvWxYz0123456789
GitHub ghp_AbCdEfGhIjKlMnOpQrStUvWxYz0123456789
Slack (bot) xoxb-1234567890-AbCdEfGhIjKlMnOp
Ashby (no fixed prefix — just a long random string generated in Admin → API Keys)
🔍
Prefix = identity

If you ever see a string starting with sk-ant- in a Slack channel or a Google Doc — that's an Anthropic key in the wild and someone has a problem. Train your eye to recognize them. Tools like GitHub's secret scanning and Slack's data loss prevention auto-detect these patterns.

How the key actually gets used

The key goes in a header on the request — a piece of metadata sent alongside the URL. The API reads the header, checks the key, and decides whether to respond.

Without a key (GitHub public — what you've been doing)
GET https://api.github.com/users/octocat // no headers needed
With a key (private data, higher rate limits)
GET https://api.github.com/users/octocat Authorization: Bearer ghp_AbCdEfGh...0123456789 // the key is invisibly sent with every request

When you connect Anthropic to Zapier, or paste a key into Claude Desktop's settings, or add it to a `.env` file — what's happening behind the scenes is that tool is attaching this Authorization header to every API call it makes on your behalf.

Where keys should (and shouldn't) live

✅ Safe places
  • 🔐 Password manager (1Password, Bitwarden)
  • ⚙️ Tool's "connections" or "credentials" UI (Zapier, Claude Desktop, n8n)
  • 🔒 Environment variables (.env files, never committed)
  • 🗝 Secret managers (AWS Secrets Manager, Doppler, 1Password CLI)
❌ Never put keys here
  • 💬 Slack messages or DMs
  • 📄 Google Docs / Notion pages
  • 📧 Emails
  • 📝 Code committed to GitHub
  • 📸 Screenshots or screen shares
  • 🎟 Support tickets to anyone

What's a .env file?

If you've ever followed a tutorial that said "add your API key to a .env file" and felt lost — you're not alone. It's one of the most common stumbling blocks for non-engineers, and it's actually really simple once you see it.

A .env file is just a plain text file that lives in your project folder. It holds your secrets (API keys, passwords, database URLs) as a list of key-value pairs. Apps read those values at startup, so the secrets never appear in the actual code.

📄 .env
# API keys for this project ANTHROPIC_API_KEY=sk-ant-api03-xxxxx... OPENAI_API_KEY=sk-proj-xxxxx... GITHUB_TOKEN=ghp_xxxxx...   # Other config DATABASE_URL=postgres://... DEBUG=true
🛡 .gitignore
# Never commit these to git .env .env.local .env.*.local   node_modules/ __pycache__/ *.log

Here's how each piece works:

The two files explained

The format inside .env is just KEY_NAME=value, one per line. No quotes needed, no spaces around the equals sign. Lines starting with # are comments.

How code uses it

Instead of hardcoding the key in the source code (where anyone reading the code would see it), the code references the variable name. The actual value loads from .env at runtime:

# ❌ Bad — key hardcoded, anyone with the code has the key client = Anthropic(api_key="sk-ant-api03-xxxxx...") # ✅ Good — key loaded from .env, code is safe to share client = Anthropic(api_key=os.environ["ANTHROPIC_API_KEY"])
🧠
The mental model

Think of .env as the "secrets drawer" of a project. The code knows there's a drawer with a label like ANTHROPIC_API_KEY. It opens the drawer and uses whatever's inside. If you replace the key, the code keeps working — you just swap the contents of the drawer. The code itself never changes.

⚠️
The classic mistake

Forgetting to add .env to .gitignore before your first commit. The keys then get pushed to GitHub, and even if you delete them later, they live in git history forever. Always set up .gitignore first. Most modern project templates (created via npx, create-react-app, etc.) handle this for you automatically — but always double-check.

When you'll encounter .env files

If you're using no-code tools (Zapier, n8n, Claude Desktop), you usually don't need a .env file — those tools have their own "credentials" UI that does the same job. .env mostly matters when you're writing or running actual code.

🚨
If you accidentally share a key

Revoke it immediately in the provider's settings (every provider has a "Revoke" button), then generate a new one. A leaked key can run up bills, expose data, or get your account suspended. Editing or deleting the message isn't enough — cached copies, notifications, and other people's screens may have seen it. Speed matters more than damage control.

⏱ Rate limits — how many calls you get

APIs cap how many requests you can make in a window of time. GitHub's unauthenticated limit is 60 requests per hour, per IP address. With a key (free), that jumps to 5,000/hour. If you hit the cap, the API returns a 403 error until the window resets.

Rule of thumb: if you're calling an API in a Zap or a loop, count your calls. 50 candidates × 3 lookups each = 150 calls. Plan for that.

❌ Error codes — what went wrong

Every response comes with a status code. The common ones:

🔒 Sensitive data — the recruiter's biggest gotcha

This is the most important section. APIs are powerful, but they send your data to someone else's server. If you wouldn't email it to an external vendor, don't send it to an API without thinking hard first.

At Zapier, our People Team data classification rules apply to API usage too: yellow-tier data (candidate PII, comp ranges, interview notes) needs approval before being routed through Zapier products or third-party APIs. Red-tier data (medical notes, pre-announcement reorg info) is prohibited.

Should this be sent to a public API? Tap each scenario:
A public GitHub username someone shared with you for sourcing research.
A candidate's full resume PDF from your ATS, with their address and phone number.
Your company's internal comp ranges for an open req, for analyzing market positioning.
A job description that's already published on your company's public careers page.
⚖️
When in doubt, ask

If you're not sure whether you can route a piece of data through an API, ask your data governance owner. At Zapier, that's #wg-people-ai-transformation. Better to ask once than to find out the hard way.

Practical Tips

For Your First Real Use Case

A few things that'll save you time when you go from this module to something useful at work.

📚

Read the docs first

Every API publishes documentation. Skim it before writing your first call — it'll show you the endpoints, the parameters, the limits. Don't guess.

🧪

Test in Postman or curl first

Before wiring an API into a Zap or a script, hit it once manually. Confirm it returns what you expect. Then automate.

🔄

Cache when you can

If you're looking up the same data repeatedly, save the response somewhere (a Google Sheet, a database). Don't re-call the API for data that doesn't change.

🐌

Respect rate limits

Build delays into bulk operations. 60 calls per hour means roughly one per minute. Slamming an API gets you blocked.

📝

Log everything

When something breaks (and it will), you'll want to see what request you sent and what came back. Keep logs in your automation tool.

🤝

Start small, then scale

Get one candidate lookup working perfectly before running 200 in a loop. Bugs at scale are 200x more painful to debug.

🚀 Where to go from here

Now that you understand requests, responses, parameters, and the real-world gotchas, you're set up for the next module: building your first MCP — wrapping an API like GitHub into a tool that Claude or Sidekick can use natively. Same concepts, applied differently.

Knowledge Check

Test Yourself

Five quick questions. Click an answer to see if you've got it.

1. You make a call to GET https://api.github.com/users/octocat and get back a JSON response. What did you actually do?
2. You get back a status code of 404. What's most likely the issue?
3. A colleague pastes their Anthropic API key in a Slack thread asking for help with a Zap. What should happen?
4. You're building a Zap that looks up GitHub data for each candidate in an Ashby pipeline. Your test pipeline has 200 candidates. What's the risk?
5. Why bother with APIs when you could just use the GitHub website directly?