APIs are a foundational technology that enables companies to participate in the digital economy. According to Gartner, “It is impossible to provide the platform for any digital strategy, and run an effective API program to benefit from the API economy, without full life cycle API management.” Yet API management is still often a gap in many companies’ integration architecture.
When considering an API management investment, look to the key product features to build a business case. API management justification is often based on one or more of the following use cases:
• Provides a secure API gateway for developers, partners and mobile devices to applications and data
• Manages an internal API program providing a centralized, collaborative environment to catalog and control reusable integration assets and APIs
• Creates an ecosystem of innovation by onboarding APIs and developers into a developer portal.
API security is a big selling point for API management. A major feature for API Management is publishing APIs to external and internal consumers. But published APIs must be secured. API management provides an API gateway to back-end services with the capability to secure and monitor API usage. It is a business imperative to secure APIs since APIs present the following security risks:
• APIs present a conduit into business applications
• HTTP verbs and parameterization creates a large attack surface
• APIs closely match methods and data models exposing the underlying system
• Complex identity management with non-human entities (e.g. phone) and partners.
API management can often be justified based on security features alone. In addition to security, the gateway provides meditation and monitoring features. The typical API Gateway functionality includes the following features:
• Proxy API calls and route them to backend services
• Validate keys, tokens, certificates and user credentials
• Usage logging and analytics
• API usage billing and chargeback
• Response caching
• Monitor API usage, logs interactions and throttles traffic
• Perform mediations like XML to JSON transformations.
The API Management systems have portal features for publishing and consuming APIs. The API developer’s portal creates an ecosystem to publish and consume APIs. From the API publisher’s perspective, the portal has the following features:
• Publish APIs in a catalog and control developer access to them
• Provide usage analytics and reporting
• Onboard and manage developers and APIs
• Import API metadata definitions – e.g. Swagger and RAML
• Package APIs as products with usage guidelines
• Configure gateway policies including security and throttling.
The developer portal creates an API marketplace that enables the consumption of APIs by internal and external developers. The developer portal has the following features:
• Provide developer access control and API key management
• Create a developer community with an API catalog, documentation and support forums
• Provide dashboards and usage statistics
• Provide API documentation, code samples, tests and guidance.
The features in the API portal streamlines the overall API lifecycle from planning and design to build, deploy and run. The API lifecycle implements a lightweight governance model that ensures APIs are easy to use and secure. It must be easy to onboard an API, built by a development team, onto the API platform as a reusable asset. APIs must be easy to find, understand and reuse. This unlocks the potential for innovation that APIs can provide by building an ecosystem between assets and developers (internal and external).
API management can be deployed on-premises or as a cloud service. API management capabilities are available through public cloud providers and software vendors with cloud or on-premises options. It’s simple to sign up with the cloud provides like AWS or Azure and try API management. But if you need a more formal software evaluation for an API management platform consider the following criteria:
• Vendor stability and API experience
• Architecture and deployment options
• Gateway security, usage management and mediation
• Microservices support
• Dashboard and analytics
• Developer and publisher portal – socialization, ease of use, customization
• Support of your security use cases and integrations (e.g. with access management)
• Training and support.
It is good to do a proof-of-concept for API management to ensure the software meets your security requirements and creates the type of developer experience you want with the portal. Perficient has partnerships with all the leading API management vendors should you need any assistance.