An API needs to be user friendly, secure, documented, versioned, and handle failures gracefully to be considered great. The document discusses how APIs have evolved from monolithic applications to microservices that decompose functionality. It also covers best practices for API design like using RESTful principles, supporting different interaction patterns, handling dates and errors properly, and using authentication standards like OAuth. Versioning approaches and ensuring APIs are well documented and fail gracefully are also emphasized as important characteristics of a great API.
3. About MuleSoft
• Connect anything to
everything!
• Publish APIs
• Mediate services
• Integrate applications
• Load data
• Over 100K dev
community
• 3200+ production
deployments
9. …is being decomposed
Presentation Tier Presentation Tier 3rd party Apps Client
JSON / XML JSON / XML JSON / XML
Middle Tier Server
Data
database Data Tier
9
10. …is being decomposed
Presentation Tier Presentation Tier 3rd party Apps Client
JSON / XML JSON / XML JSON / XML
Middle Tier Server
API API API
API API
SaaS, Infrastructure Services, Data
database
API
Social Media APIs API Data Tier
API API
API API
API
10
14. Technology Shift
Newer Application Environments
Application
Application
Security
UI API
Database
Business Logic
Web Server
Operating System Data Integration
16. What APIs are you using?
• CRM – Salesforce, MS Dynamics, SAP
• Data services – Xeround, Mongo, RDS
• eCommerce – PayPal, QuickBooks, Xero, Freshbooks
• Email – Amazon SES, SendGrid
• Messaging – PubNub, Cloud AMQP
• Notifications – Urban Airship, Twilio
• Security – Katasoft
• Social – Facebook, Twitter, LinkedIn
• Storage – S3, DropBox
17. Changing business models
Build an eco-system of
integrations which
provide more value to CRM
your customers Mobile ERPs
Your
Plethora of business
models – fremium, pay eCommerce
API Marketing
for use, tiers, etc
HRM
23. #1: CRUD + Actions
Create POST /widgets
Read GET /widgets
GET /widgets?name=Foo
GET /widgets/123
Update PUT /widgets/123
Delete DELETE /widgets/123
…
Execute POST /widgets/123/execute
24. #2: Batch
“Web architects must understand that resources
are just consistent mappings from an identifier to
some set of views on server-side state. If one view
doesn’t suit your needs, then feel free to create a
different resource that provides a better view (for
any definition of “better”). These views need not
have anything to do with how the information is
stored on the server, or even what kind of state it
ultimately reflects. It just needs to be
understandable (and actionable) by the recipient.”
- Fielding
25. #2: Batch
Bulk Load POST /jobs
* , widget1 -, ,widget2-, … +
200 OK
Location /jobs/123
Get Job Status GET /jobs/123
[ status1, status2, status3, etc ]
27. #4:
• Instant notification for the web!
• Example:
– Client creates an invoice
– Freshbooks calls HTTP webhook to synchronize
invoice to Salesforce
28.
29. #5: Async
1. Send message
POST /messages
{ … }
201 Received
Location /messages/123
2. Check Status
GET /messages/123
30. A GREAT API IS … CORRECT*
* Except when it shouldn’t be
31. Partial responses
Dates & Timezones
Hypertext
Stateful
Details matter
Error 500 Content-Types
GET Pagination
Data modeling
32. Data Types
OrganizationServiceStub.AttributeCollection updateCollection =
new OrganizationServiceStub.AttributeCollection();
OrganizationServiceStub.KeyValuePairOfstringanyType telephone =
new OrganizationServiceStub.KeyValuePairOfstringanyType();
telephone.setKey("telephone1");
telephone.setValue("425-555-1212");
updateCollection.addKeyValuePairOfstringanyType(telephone);
41. “Special” Companies Normal Companies
• Microsoft (WS- • Salesforce (OAuth 2 or Basic
Security/Policy + Live ID Auth*)
variant) • Twitter (OAuth 1)
• QuickBooks (SAML/OAuth • Facebook (OAuth 2)
variation)
• AWS (Custom encryption)
42. Basic Auth + SSL
• Easy
• Accessible
• Not great for public APIs…
43. OAuth!
• 1.0: out of band tokens
• 2.0:
– 2 legged authentication
– No more encryption of tokens
– Short lived tokens with expiration & refresh
– Grant types
57. Things to consider
• Include versioning from the start
• How long should you maintain versions?
• How often will you make changes?
• Will you have minor versions?
• Date based?
58. Which approach
Header URL
• Potentially more “correct” • Easier to hack in the
HATEOS approach browser & with curl
• Provides clarity when there
are structural changes
– e.g. it’s clear that resource
/foo went away in version 2
60. A great error has
1. A machine understandable HTTP status code
2. An end user message
3. If relevant, details for the developer to
escalate the issue (tracking #)
61. POST /foo
{ … bad data … }
200 OK
{
“message” : “Invalid request”
}
62. POST /foo
{ … bad data … }
400 Bad Request
Content-Length: 0
63. Good
POST /foo
{ … bad data … }
400 Bad Request
{
“message” : “The field foo123
is not allowed on the request.”
}
64. Good
POST /contacts
{ “name” : “Dan Diephouse” }
409 Contact Exists
{
“message” : “A contact with
that name already exists.”
}
65. Good
POST /contacts
{ “name” : “Dan Diephouse” }
500 Error
{
“message” : “We were not able to process
you’re request due to an unexpected error.
Please contact support for help in resolving
this request (Request ID 19022334).”
“requestId” : 19022334
“time” : “2012-03-01T13:00:00Z”
}
66. A Great API
• User friendly
• “Correct”
• Secure
• Documented
• Versioned
• Fails Gracefully
Thanks for inviting me.Background in integration I live in San FranciscoI love wineI play the accordionI love building products and products need APIs.Currently focused on the problem of connecting everything together – how do we make it as simple as possible? How do we break down cloud silos?
Let’s talk about the impact of APIs and I don’t mean all the schwag we see around this conference. Look around, all these companies are focusing on APIs. It’s not just developers anymore, it’s everyone.How many of you integrate with more than one API?
Center of gravity shifting to the cloudRise of the composite appLess visibility and controlRapid innovation means middleware must adapt and support change
We’ll start around the early 2000s, where the traditional application looked something .HTML rendered by serverData tier maintained by db admins, run on premise
Presentation tier moves to client side – AJAX (Backbone, Ext, Sencha, Jquery, etc) and Mobile (iPhone, Android)Expectation now from consumers that you have a mobile appForces a shift – everything now has a REST API
People DEMAND an API and your business wants to monetize it Look at all the companies here around this…
Correspondingly, you want to use everyone else’s APIsYour application is no longer a database, it’s a composite application based on a number of different infrastructure services, social media APIs, etc
Simultaneously there is a platform shift, we’re moving from the 3 tier server to PaaS and IaaSHow many here deploy their applications on Heroku?
Building it themselves
Data is still important, but integration to external services is becoming just as important. Is all your data in the database? Or do you have it spread out over different services/datastore? There is no one DB to rule them all for example
Building it themselves
Building it themselves
The worst APIs are the ones that were designed without any thought. The ones that just expose whatever at random. They don’t worry about the how and why, but as any user knows, that’s the most important part.
This talk presupposes that REST is the way to go, so I figure I better say a few words on that. I really go to REST+JSON by default. You have to make a strong argument with me to go another way. I’m sure you know by now – REST stands for Representation State transfer. The simple way to explain it is that you have a set of nouns (widgets) and fixed set of verbs. REST has so many good things going for it-it is the language of the webit is scalableit is easy to get started – you just hit the URL in the browser or with Curl. No complicated libraries. You can also take it in pieces. it is universalit is evolvable – we can use URIs and data formats to build up a set of nouns The only thing about REST that is not great is that people easily screw it up. I’m sure people will say the same thing about me – because I’m advocating a kind of REST-lite approach. but as long as you’re concious of the downsides of leaving other stuff behind, you can do it.I think the market is bearing this out as well in terms of what we’re seeing from vendors and the services they produce.
Choose your nouns, not your verbs.For things that don’t fit, then put the action in the URI
A great API supports batch if your users need it. Don’t make people hit your API a million times to import a million rows.While there is also HTTP pipelineing, it has a couple challengeserrors returned in same order, which can add latencynot well supported by client libraries
I call this streaming because this is what Salesforce calls it, but by it I simply mean pub sub over HTTP-It gives up some of the advantages of REST (statefulness), but it gives you real time updates and reduces the # of requests the client needs to make-Difficult to implement for consumers as it’s uncommon-
“so simple you’ll think it’s stupid”
I can’t make you to write beautiful code, but I can try! So I will highlight a few problems if you don’t implement stuff correctly
MS Dynamics CRMno thought to data structuresTried to do a schemaless design in a schema – XML schema just deal well with that. Ended up with Arrayofstringtype and so on-would be better off with a schemaless JSON based design
Timezones!
Timezones!
Make your application hypertext. Then users can browse to different resources
AWS I will give a little bit of slack because pre-date everything – and at least it’s consistent and easy.
OAuth allows you to build an authentication mechanism which allows applications to act, not just usersIt is much more secure for 3rd party applications because you can track turn off access for invididual applications.
If anything use XML encryption. I completely get that there are valid use cases that WS-Security meets that other specs don’t, but crikey, it’s impossible for people to use, so don’t expect your API to catch on with it.