The document outlines six tactics for building successful APIs: 1) define a business model to identify goals like enabling app development or new revenue streams, 2) build managed APIs that are advertised, secured, and monitored, 3) focus on API security like access control and authentication, 4) reconcile service and API lifecycles and governance, 5) integrate APIs with enterprise systems, and 6) brand APIs and treat them as products to enable monetization.
1. Six Tactics For Building Successful APIs
Chris Haddad
VP Platform Evangelism
Last Updated: Jan. 2014
2. 2
About the Presenter
• VP Platform Evangelism
• F500/G2000 Advisor
• Cloudy DevOps for Dev guy
• API Strategy and SOA Roadmap consultant
• Architect
• SaaS and PaaS
• Service portfolio and infrastructure
• Java, .NET, JavaScript, Open Source
• Learn more about me
• Follow me @cobiacomm on Twitter
• Blog: http://blog.cobia.net/cobiacomm
• Decks: http://www.slideshare.net/cobiacomm/
• Profle: http://www.linkedin.com/in/cobiacomm/
• On Google+ too
3. What architecture goal-state is
required?
http://edcforums.com/threads/the-atwood-collectors-thread-part-2.101226/page-5
12. API-centric Focus
An API is a business capability delivered over the Internet to
internal or external consumers
๏ Network accessible function
๏ Available using standard web protocols
๏ With well-defined interfaces
๏ Designed for access by third-parties
13. API-centric Focus
A Managed API is:
๏ Actively advertised and subscribe-able
๏ Available with SLAs
๏ Secured, authenticated, authorized and protected
๏ Monitored and monetized with analytics
15. API-centric Integration
Capabilities
๏ Expose APIs for public consumption
๏ Extend your business through APIs.
๏ API Branding
๏ Expose APIs for internal consumption
๏ Manage the APIs used in internal applications
๏ Detect Usage Patterns
๏ Internal Monetization
๏ Control Access to Cloud Services
๏ Manage and Secure access from internal applications to cloud services (SalesForce,
Google Apps, etc.) and between cloud-to-cloud interactions
16. 16
API Management Platform
Capabilities
๏ What the platform must do, at a minimum:
๏ Users Management (self-sign up, profile management)
๏ API Publication / API Store
๏ API Security
๏ Statistics
๏ SLA control
๏ Throttling / Rate Limiting
๏ API Versioning
๏ Monetization/Billing
๏ and more !
๏ You could build all of this yourself, but...
19. Six Steps
๏ Define A Business Model
๏ Build a Managed API
๏ API Security
๏ Reconcile Services and APIs Creation, Lifecycle and
Governance
๏ Enterprise Integration
๏ API Branding and API as a Product == Yields => Monetization
20. 20
Define a Business Model
๏ What are the business goals ?
๏ Enable 3rd-party Mobile Apps
development ?
๏ Increase brand recognition ?
๏ Open new revenue channels ?
๏ Define Monetization model
๏ Free ?
๏ Pay per usage ?
๏ Free APIs, but paid via Ads
21. 21
Building a Managed API
๏ Creating APIs (interface, docs,
samples,etc.)
๏ Advertising APIs
๏ Making APIs subscribe-able
by consumers
๏ Associating SLAs
๏ Securing APIs
๏ Monetization and Analytics
22. 22
Services and APIs
๏ Service deals with implementation
๏ API deals with subscription (consumer)
๏ Two very distinct life cycles !
๏ You don’t need the service to create the API...
23. 23
API Versioning Strategies
๏ Version as a query parameter
๏ Netflix - http://api.netflix.com/catalog/titles/series/70023522?v=1.5
๏ Google Data API - “GData-Version: X.0″ or “v=X.0″
๏ Version as part of URI
๏ Salesforce - https://na1.salesforce.com/services/data/v20.0/sobjects/Account/
๏ Twitter - https://api.twitter.com/1.1/statuses/mentions_timeline.json
๏ Version as a date in URI
๏ Twilio - /2010-04-01/Accounts/{AccountSid}/Calls
๏ http://www.twilio.com/docs/api/rest/making-calls
๏ Version as a
๏ Custom HTTP Header
๏ Accept Header
24. 24
API Lifecycle
๏ An API can pass through multiple states
๏ For example:
๏ CREATED
๏ PUBLISHED
๏ DEPRECATED
๏ RETIRED
๏ BLOCKED
๏ Should integrate with complete governance lifecycle
25. 25
API Security
๏ Security is not an after thought !
๏ APIs are part of a much larger enterprise picture
๏ How will consumers request an access token ?
๏ Using a SAML 2.0 assertion ?
๏ Using client_credentials ?
๏ Using userid/password ?
๏ Make sure you document thoroughly how developers
need to manage tokens:
๏ Tokens are like passwords!
26. 26
Fine-grained access to APIs
๏ OAuth2 is all about access control: a token is associated to a scope.
๏ XACML (eXtensible Access Control Markup Language) is the de-facto
standard for fine-grained access control.
๏ OAuth scope can be represented in XACML policies
๏ Provides fine grain control over what a user/application can do ( i.e.
you can call GET but not POST on an API)
27. 27
Passing Auth Information to back-end
services
๏ Using JSON Web Tokens
(JWT)
๏ Lightweight
๏ Can be signed
๏ Easy to parse and consume
๏ Standard
28. 28
Generic Facade Pattern
๏ Pros
๏ No additional hop in the network
๏ Single Server to be managed
๏ More suited for internal deployments
๏ Cons
๏ Complexity of integration at edge of network
๏ API Management layer can’t really scale independently
๏ Not appropriate for DMZ deployments (direct access to backend services)
29. 29
Separated Facade &
Mediation
๏ API Gateway Layer acts as simple reverse proxy, enforcing basic policies
๏ Clear separation of concern between layers
๏ Mediation layer and API management layer scale independently
๏ Specific security checks/protection at edge of the network
๏ Provides protocol transformation to the edge of the network
30. 30
Specific WSO2 Solution
๏ Our API gateway is actually a full-blown ESB
under the hood, constrained at UI level.
๏ You can install the missing ESB features on top
of API manager and combine both
architecture layers into a single runtime!
๏ Makes the choice a deployment one.
31. API-centric Challenges,
Requirements, Use Cases
๏ Enterprise Integration
๏ Integrate with Enterprise Identity Management, Enterprise Security, and Enterprise Key
Management Solution
๏ Integrate with monitoring and statistics dashboard
๏ Integrate with existing Service Gateways
๏ Best Practices
๏ Jump from internal services to external API – what practices are required?
๏ How does API governance reconcile with service governance?
34. 34
Why Analytics and API Management are important
together?
๏ Build confidence in the API model
๏ Understand your customer
๏ Not just the developer but also the end-user
๏ Help manage services and versions
๏ Understand when deprecated services can be retired
๏ Plan better
๏ Monitor the growth of aggregated API traffic
๏ Monitor the growth of specific apps
๏ Even if you’re not going to put analytics in place, make
sure you capture all events right from beginning of
project.
38. Six Steps
๏ Define A Business Model
๏ Build a Managed API
๏ API Security
๏ Reconcile Services and APIs Creation, Lifecycle and
Governance
๏ Enterprise Integration
๏ API Branding and API as a Product == Yields => Monetization
39. 39
Download API Manager today!
๏ http://wso2.com/products/ap
i-manager/
Mobility, Internet of Everything, and Ecosystem Business Models are Transforming The Web towards a new interaction model, and businesses must adapt. Without adapting business practices and IT systems towards web API interaction, organizations will be unable to maintain or increase engagement with customers and partners.
People are shifting away from destination sites (e.g. Yahoo, Google Search, CNET, CNN) and social networks (e.g. Facebook, Twitter) towards accessing information and interacting with businesses using Web APIs and local apps.
When defining a roadmap to align IT’s pace with business agility expectations, establish IT team objectives that quicken IT solution development and delivery, offer new technology as on-demand shared services, and enhance your team’s ability to rapidly satisfy emerging business use cases (e.g. social collaboration, mobile application connectivity, ecosystem partnering).
Open source PaaS, Open APIs, and Open Ecosystems are accelerating agility, empowering developers, and enabling innovative business strategies. In a recently published white paper, I describe how adopting a New IT plan can create a responsive IT team.
The path to New IT requires moving away from traditional application platforms, traditional team structure, and traditional information flows. Responsive IT teams are adapting their infrastructure, processes and tooling to re-invent the application platform and re-think application delivery. The New IT architecture underlying Responsive IT intelligently incorporates Cloud Platforms, BigData Analytics, Enterprise DevOps, and API first development.
Open APIs are empowering developers by delivering business building blocks.
Teams can rapidly compose solutions to meet shifting business demand by re-using Open Data and Open APIs. Teams are embracing long tail development communities that enable innovative business ecosystem strategies to emerge, with Open Data and Open API foundations.
In a New IT operations model, instead of being a single-purpose delivery team, IT serves as a broker and validator of solution building blocks.
Manage APIs for external value chain and customer use in mobile Apps. Establish tiers of service, track usage of APIs, social data collection, social data analytics, versioning. Also use internally to track internal re-use, ease of re-use, control access
“Layer 7 and Wso2 Blend service integration and a good api Consumer experience. Most API management adopters among our clients will need to build their corporate platforms on existing systems and integration efforts. So they will need a good client app developer portal, traffic management sophistication, and the means to map, convert, and manage existing service endpoints.”*
* The Forrester WaveTM: API Management Platforms, Q1 2013 By Eve Maler and Jeffrey s. Hammond, February 5, 2013
Which platform components are in your architecture?
API brands enable you to build mindshare with your target audience. Mindshare increases API visibility; visibility encourages individuals (and devices) to discover and evaluate your API. API evaluation triggers API adoption, and adoption realizes your goals (i.e. increased interaction and revenue growth). Execute a virtuous API branding cycle.