Any new digital service being built today also needs to be exposed as an API. This is the core of agile, successful digital businesses. It forces digital organizations to create new APIs while consuming many other APIs in the process, effectively being part of the global API supply chain.
However, many API strategies fail, mostly due to underestimating the full lifecycle of APIs from conceptualization to engineering to production and evolution. Getting optimal ROI from APIs requires understanding the nuances of building APIs and finding the right balance between what you build and reuse. This slide deck discusses:
• How we develop APIs today and commonly noticed problems
• The different types of APIs in an organization and their nuances
• 5 key elements for developing enterprise-grade APIs for the enterprise
• The safest bet for a successful API strategy
We also explore Choreo, an integration Platform as a Service for API developers: https://wso2.com/choreo
3. Agenda
● Building APIs in today’s world - The problems we face
● Types of APIs in an enterprise and their roles
● The Marketplace of APIs
● Programmability of APIs
● API security
● API monitoring
● The API lifecycle
● Conclusion
3
4. Building APIs in Today’s World
● API - Contract of a function
exposed over the network.
● APIs are everywhere
๏ Both external and internal.
● Frameworks for building APIs:
SpringBoot, Dropwizard, Express,
Flask, Ballerina, etc.
4
Image Source:
https://www.bvp.com/atlas/state-of-the-cloud-2020/
5. Building APIs in Today’s World
● An API is rarely a standalone program
๏ It is distributed across several
microservices.
● Microservices can be of different types
๏ Synchronous/Asynchronous.
๏ gRPC, HTTP/REST, Kafka, etc.
● Building APIs require cross-team
collaboration.
5
6. Building APIs in Today’s World - The Problems We Face
● Development Time Challenges
๏ Discovery of APIs.
๏ Programmability of APIs.
๏ . . . .
● Runtime Challenges
๏ Resiliency.
๏ Security.
๏ Scale.
๏ . . . .
6
8. Types of APIs in the Architecture
● Edge APIs
● Domain APIs
● Third Party APIs
● Synchronous APIs
● Asynchronous APIs
● Data sources
● Event streams
8
9. 1. API Discovery: The Marketplace of APIs
● Frameworks such as Netflix’s Eureka offer dynamic service registration and
discovery.
๏ These don’t capture the full scope of what is needed for developers to build
APIs.
● An overarching marketplace of internal, external APIs, events and data sources are
required for developers to build APIs.
9
10. Public API Marketplaces
● Programmable Web
● RapidAPI
● APIs Guru
● SwaggerHub
● Postman API Network
● APIs.io
10
11. Characteristics of the Marketplace
● Provides visibility to all dependencies (endpoints, libraries) required for building
APIs.
● Categorization, searching and filtering
๏ Industry type, protocol, interface spec.
๏ Recommendations, usage data.
● Governance to control who can see and use which services.
๏ User groups/teams.
● Ability for governance rules to be translated to runtime policies.
๏ Access control.
๏ Environment specific endpoints and credentials.
● Administration of credentials to endpoints.
11
12. 2. API Programmability
● API programmability is the ability to connect to an API and interact with it.
● The programmability of an API is tightly coupled with the marketplace of which this
API is in.
● Aspects that determine the level of programmability of an API include:
๏ Discoverability of the API.
๏ Connectivity to the API.
๏ Quality of the API documentation.
๏ Level of complexity in obtaining security keys.
๏ Complexity involved in programming resiliently.
12
13. Programming Against the Twilio API
13
Initializing the Twilio
client with credentials
Sending the message
14. Things to Consider When Programming Against an API
● Security
๏ Obtain credentials.
๏ Store credentials securely.
๏ Propagate credentials through CI/CD pipelines of the app.
● Error Handling
๏ Invalid or disconnected phone.
๏ Invalid or expired credentials.
๏ Temporary network outages.
● Network connectivity issues
๏ APIs being retired.
๏ Expired certificates.
14
15. 3. API Security
● Security is an essential part of building a successful API strategy.
● Exposing APIs securely and accessing APIs securely are equally important.
● Securing APIs isn’t just about authentication and authorization.
๏ It is vital for organizations to understand the different aspects of securing APIs.
● Let’s start by looking at the API security landscape.
15
17. External API Security - API Gateway
17
17
API
Bot Detection
Authentication
& Authorization
Rate Limiting
Payload
Scanning
Payload
Scanning
Data Redaction
Surveillance
Logs
AI / ML Analysis
19. Creating a Zero Trust Environment
19
● Creating a zero trust environment
requires service-to-service (STS)
authentication.
● An internal STS can be used to issue
tokens to APIs to talk to each other.
● The sidecar approach is a common way
to achieve this.
● This provides a way for implementing
policies as well.
● Caching and startup code execution can
be used to reduce latency.
20. 4. API Monitoring
● The success of our digital products are completely dependent on the APIs we build.
● APIs we build depend on many other APIs we consume.
๏ It is important to monitor the APIs we provide and consume.
● Monitoring becomes exceptionally hard when functionality is scattered across many
nodes in a network.
● A good monitoring system helps developers to troubleshoot issues faster and fix
them.
● Debugging is an iterative process that involves starting with a hypothesis and
looking at data and experimenting to see if the hypothesis holds.
● The 3 pillars of observability — tracing, metrics and logs — are important but not
necessarily sufficient.
20
22. Observing Distributed Applications
● Tools such as Prometheus, Jager,
Zipkin, Fluentd provide mechanisms of
observing distributed systems.
● Each tool provides its own perspective
of the system.
● When troubleshooting issues, users are
challenged to find patterns
themselves.
● A holistic view of data is required to
make sense of what’s going on.
22
Image Source:
https://www.infoq.com/articles/observability-tools-future/
23. Observing Distributed Applications: Service Topology
● As systems get larger, so do their
services and dependencies.
● A service dependency graph is useful
for understanding system architecture,
but not useful for troubleshooting.
● Developers need a focused service
topology view to build more accurate
hypotheses faster.
23
Image Source:
https://copyconstruct.medium.com/distributed-tracing-weve-b
een-doing-it-wrong-39fc92a857df
24. 5. Managing the API Lifecycle
● Managing the lifecycle of an API is about
๏ Getting an API from idea to production.
๏ Evolving the API to meet consumer demand.
● DevOps processes and CI/CD pipelines play a critical role in running an API in
production.
● Business insights of APIs are vital in making roadmap decisions.
● API versions are used to introduce new features to APIs.
● A well thought out versioning and retirement strategy is helpful to evolve APIs
without customer frustration.
24
27. The Evolution of the API: Business Insights
● Obtaining business insights of APIs are
crucial for the API roadmap
๏ Usage metrics: Transactions,
errors, latencies.
๏ NPS: New consumers, churn.
๏ Business value reporting:
Earnings, savings, new customer
reach.
๏ Community: Developer portal
(feedback, ratings, feature
requests).
27
28. The Evolution of the API: Versioning and Retirement
● API Versioning
๏ Adopt a versioning strategy (semver).
๏ Notify consumers.
๏ Automatic migration of consumers to newer versions.
● API Retirement
๏ Deprecate the API first and then notify consumers.
๏ API unavailable for new consumers.
๏ Use business insights to make retirement decisions.
28
29. Summary
● Modern APIs are built reusing many APIs.
● Microservice frameworks by themselves are barely sufficient to build enterprise-grade
APIs.
● The following are key areas of focus for building enterprise APIs from idea to
production.
๏ API Discovery.
๏ API Programmability.
๏ API Security.
๏ API Monitoring.
๏ API Lifecycle.
29
30. A Next-Gen Cloud Native
Engineering Platform for
API Developers
Thanks!
wso2.com/choreo
https://twitter.com/ChoreoDev
30