Broadly stated, an API (Application Programming Interface) is a code module that performs a specific task and defines a set of protocols that can be used by others to perform that task. In today’s world, however, APIs have become more than mere tools—there is now a vast and growing economy for code that can be easily dropped into an application to perform a discrete task. An effective API management strategy enhances the developer experience, elevates software quality, lowers development expenses, enables system scalability, and fortifies security measures.
If your organization manages an API and is considering making that API available to the public, either as a monetization or brand awareness strategy, it’s vital to ensure that the API is well-managed. Users outside your organization expect a good experience, and you must be prepared to deliver that experience through your API.
This is where a solid API management strategy comes into play. There are three major components of putting together an effective API management strategy plan: identifying the areas of effective API management, deciding whether you need an API management tool—and which type of tool you should use, and selecting that tool.
Effective API management involves overseeing all aspects of the API that your enterprise or outside users will utilize. This includes performance, security, authorization, documentation, analysis, and accessibility.
Gateway / Access An API gateway is the layer between the public and your backend services. This is where incoming requests will be intercepted and routed to the correct parts of your API. You should utilize caching, rate-limiting and throttling, and bundling of responses to ensure speed and consistency for your users.
Performance Goals Availability, speed, and reliability are crucial aspects of any public-facing API. You must be able to guarantee a certain amount of uptime for your users and be able to guard and recover user data in the event of a crash or downtime. Identify the goals for your API.
Security / Authorization Types Security is important not only to protect your server but also to protect sensitive client data. Your API strategy should include a secured by an API key, client certificate, or OAuth strategy. Even if your API provides data that is not private, the network requests it handles should still be secured.
Authentication / Policy Management After authorization, authentication and policy management are important for establishing user roles and team access and managing identities and privileges. This enhances security by limiting what resources are available to which users and improves organization for your users.
Developer Portal / Documentation An intuitive developer portal and good documentation are also crucial to good API management. Your developer portal should include a sandbox where devs can test your endpoints, an API catalogue outlining all available APIs within your organization, and clear, searchable documentation with guides for getting started and performing common tasks.
Analytics Your analytics will give you valuable insight into how people are using your API, which will allow you to focus resources on those areas that will be most profitable. Additionally, analytics are often useful for your users.
API management solutions can handle one or more of these tasks for you. Solutions are provided through either proxies, agents, or hybrid approaches.
Proxies A proxy solution sits between the API and its users. Proxies offer benefits like caching to optimize performance and shield the API from sudden traffic surges. However, a proxy could potentially raise costs and concerns related to privacy and latency. Examples of such proxy implementations include Apigee, Mashape, and Mashery.
Agents Agents are plugins that operate seamlessly alongside your server. Unlike proxies, they do not interfere with API calls. Consequently, they don't introduce network delays or external dependencies. However, implementing features like caching can be challenging. An example of this type of implementation is 3scale.
Hybrid To get the benefit of both implementations, you might use an agent and a proxy in combination. For instance, you could opt for a proxy to handle caching while using an agent for authentication purposes. Companies such as Apigee and 3scale are transitioning towards hybrid solutions.
Some of the top API management tools include the following:
Determining which solution is right for you will require an evaluation of your budget, existing resources (i.e., the people you have available in-house to work on this), your needs and the anticipated scale of your API.
Can I manage my APIs internally, or should I hire external help?
That is entirely up to you. If you have an organization large enough to dedicate a team to API management, you may be able to handle it yourself. But API management is a complex and specialized task and should not simply be offloaded to already overworked engineers in other areas of your company.