The document outlines six tactics for building successful APIs: 1) define a business model to identify goals like enabling app development or new revenue streams, 2) build managed APIs that are advertised, secured, and monitored, 3) focus on API security like access control and authentication, 4) reconcile service and API lifecycles and governance, 5) integrate APIs with enterprise systems, and 6) brand APIs and treat them as products to enable monetization.

1. Six Tactics For Building Successful APIs
Chris Haddad
VP Platform Evangelism
Last Updated: Jan. 2014

2. 2
About the Presenter
• VP Platform Evangelism
• F500/G2000 Advisor
• Cloudy DevOps for Dev guy
• API Strategy and SOA Roadmap consultant
• Architect
• SaaS and PaaS
• Service portfolio and infrastructure
• Java, .NET, JavaScript, Open Source
• Learn more about me
• Follow me @cobiacomm on Twitter
• Blog: http://blog.cobia.net/cobiacomm
• Decks: http://www.slideshare.net/cobiacomm/
• Profle: http://www.linkedin.com/in/cobiacomm/
• On Google+ too

3. What architecture goal-state is
required?
http://edcforums.com/threads/the-atwood-collectors-thread-part-2.101226/page-5

4. Old IT  Responsive IT

5. Engage your customers and partners
Mobility, Internet of Everything, and Ecosystem Business Models
are Transforming The Web

6. APIs Fit Into A Bigger IT Picture

7. Connected Business Reference Architecture

8. Architecture Focus Areas
Integration
Expose Services as APIs
Big Data Streams and Analytics

9. Architecture Focus Areas
Identity and Entitlement Management
Cloud
AppDev
Developer Studio
App Factory
AS incl. Jaggery), UES, DSS,

11. Enterprise Service Bus Component Architecture

12. API-centric Focus
An API is a business capability delivered over the Internet to
internal or external consumers
๏ Network accessible function
๏ Available using standard web protocols
๏ With well-defined interfaces
๏ Designed for access by third-parties

13. API-centric Focus
A Managed API is:
๏ Actively advertised and subscribe-able
๏ Available with SLAs
๏ Secured, authenticated, authorized and protected
๏ Monitored and monetized with analytics

14. 14
API Centric Capabilities

15. API-centric Integration
Capabilities
๏ Expose APIs for public consumption
๏ Extend your business through APIs.
๏ API Branding
๏ Expose APIs for internal consumption
๏ Manage the APIs used in internal applications
๏ Detect Usage Patterns
๏ Internal Monetization
๏ Control Access to Cloud Services
๏ Manage and Secure access from internal applications to cloud services (SalesForce,
Google Apps, etc.) and between cloud-to-cloud interactions

16. 16
API Management Platform
Capabilities
๏ What the platform must do, at a minimum:
๏ Users Management (self-sign up, profile management)
๏ API Publication / API Store
๏ API Security
๏ Statistics
๏ SLA control
๏ Throttling / Rate Limiting
๏ API Versioning
๏ Monetization/Billing
๏ and more !
๏ You could build all of this yourself, but...

17. Open API and Collaboration

18. Enterprise SOA and API Integration Platform:
API-centric View

19. Six Steps
๏ Define A Business Model
๏ Build a Managed API
๏ API Security
๏ Reconcile Services and APIs Creation, Lifecycle and
Governance
๏ Enterprise Integration
๏ API Branding and API as a Product == Yields => Monetization

20. 20
Define a Business Model
๏ What are the business goals ?
๏ Enable 3rd-party Mobile Apps
development ?
๏ Increase brand recognition ?
๏ Open new revenue channels ?
๏ Define Monetization model
๏ Free ?
๏ Pay per usage ?
๏ Free APIs, but paid via Ads

21. 21
Building a Managed API
๏ Creating APIs (interface, docs,
samples,etc.)
๏ Advertising APIs
๏ Making APIs subscribe-able
by consumers
๏ Associating SLAs
๏ Securing APIs
๏ Monetization and Analytics

22. 22
Services and APIs
๏ Service deals with implementation
๏ API deals with subscription (consumer)
๏ Two very distinct life cycles !
๏ You don’t need the service to create the API...

23. 23
API Versioning Strategies
๏ Version as a query parameter
๏ Netflix - http://api.netflix.com/catalog/titles/series/70023522?v=1.5
๏ Google Data API - “GData-Version: X.0″ or “v=X.0″
๏ Version as part of URI
๏ Salesforce - https://na1.salesforce.com/services/data/v20.0/sobjects/Account/
๏ Twitter - https://api.twitter.com/1.1/statuses/mentions_timeline.json
๏ Version as a date in URI
๏ Twilio - /2010-04-01/Accounts/{AccountSid}/Calls
๏ http://www.twilio.com/docs/api/rest/making-calls
๏ Version as a
๏ Custom HTTP Header
๏ Accept Header

24. 24
API Lifecycle
๏ An API can pass through multiple states
๏ For example:
๏ CREATED
๏ PUBLISHED
๏ DEPRECATED
๏ RETIRED
๏ BLOCKED
๏ Should integrate with complete governance lifecycle

25. 25
API Security
๏ Security is not an after thought !
๏ APIs are part of a much larger enterprise picture
๏ How will consumers request an access token ?
๏ Using a SAML 2.0 assertion ?
๏ Using client_credentials ?
๏ Using userid/password ?
๏ Make sure you document thoroughly how developers
need to manage tokens:
๏ Tokens are like passwords!

26. 26
Fine-grained access to APIs
๏ OAuth2 is all about access control: a token is associated to a scope.
๏ XACML (eXtensible Access Control Markup Language) is the de-facto
standard for fine-grained access control.
๏ OAuth scope can be represented in XACML policies
๏ Provides fine grain control over what a user/application can do ( i.e.
you can call GET but not POST on an API)

27. 27
Passing Auth Information to back-end
services
๏ Using JSON Web Tokens
(JWT)
๏ Lightweight
๏ Can be signed
๏ Easy to parse and consume
๏ Standard

28. 28
Generic Facade Pattern
๏ Pros
๏ No additional hop in the network
๏ Single Server to be managed
๏ More suited for internal deployments
๏ Cons
๏ Complexity of integration at edge of network
๏ API Management layer can’t really scale independently
๏ Not appropriate for DMZ deployments (direct access to backend services)

29. 29
Separated Facade &
Mediation
๏ API Gateway Layer acts as simple reverse proxy, enforcing basic policies
๏ Clear separation of concern between layers
๏ Mediation layer and API management layer scale independently
๏ Specific security checks/protection at edge of the network
๏ Provides protocol transformation to the edge of the network

30. 30
Specific WSO2 Solution
๏ Our API gateway is actually a full-blown ESB
under the hood, constrained at UI level.
๏ You can install the missing ESB features on top
of API manager and combine both
architecture layers into a single runtime!
๏ Makes the choice a deployment one.

31. API-centric Challenges,
Requirements, Use Cases
๏ Enterprise Integration
๏ Integrate with Enterprise Identity Management, Enterprise Security, and Enterprise Key
Management Solution
๏ Integrate with monitoring and statistics dashboard
๏ Integrate with existing Service Gateways
๏ Best Practices
๏ Jump from internal services to external API – what practices are required?
๏ How does API governance reconcile with service governance?

32. 32
Typical Deployment

33. 33
You can’t manage
what you can’t measure.

34. 34
Why Analytics and API Management are important
together?
๏ Build confidence in the API model
๏ Understand your customer
๏ Not just the developer but also the end-user
๏ Help manage services and versions
๏ Understand when deprecated services can be retired
๏ Plan better
๏ Monitor the growth of aggregated API traffic
๏ Monitor the growth of specific apps
๏ Even if you’re not going to put analytics in place, make
sure you capture all events right from beginning of
project.

35. Event Streams
35

36. Insight Architecture
36

37. Brands Enhance Revenue

38. Six Steps
๏ Define A Business Model
๏ Build a Managed API
๏ API Security
๏ Reconcile Services and APIs Creation, Lifecycle and
Governance
๏ Enterprise Integration
๏ API Branding and API as a Product == Yields => Monetization

39. 39
Download API Manager today!
๏ http://wso2.com/products/ap
i-manager/

40. Contact us !