A service is doing computing. That is to say that a service is running some sort of code, even if it’s just serving up data or doing a huge computational process. To access that service, we often have an API, or to spell it out, an Application Programming Interface. This is the presentation layer that gives you JSON or XML or whatever output the service is producing.
Unfortunately, the idea of an API gets a little more abstract than that because there can be a broader API that companies and fronts many services. This is what we usually mean when "we’re building an API."
Each service may have its own API, but the way we access that is through something like an API gateway. This is where we can grant public access to all the services in a data center, or even services running in different data centers but presented as one collection.
All the services can then be controlled by one set of governance with common security and common access patterns -- it doesn't mean that these individual services don't have to have their own security, but what it does mean is that a service exposes data through one or more APIs and we have to be concerned about the security and the conformity of the data through all of those points of entry.