API Management
Before elaborating further on this topic we would like to describe more accurately what an API actually is. Application Programming Interface, or API for short, is a type of SOA asset that characterizes itself by:
- Making use of lightweight data transport and data formats such as REST and JSON
Note
Representational State Transfer (REST) is a an architectural style for the creation of web services using native methods or verbs (GET, POST, PUT, DELETE, and others) within the Hypertext Transfer Protocol (HTTP) to access resources via fully qualified uniform resource identifiers (URIs).
For further reading, go to the following URL:
http://en.wikipedia.org/wiki/Representational_state_transfer
JavaScript Object Notation (JSON) is a lightweight data format based on the JavaScript language. For further reading, go to http://www.json.org/.
- Stateless (meaning there is no session or persistence of state; a request is received and a response is sent as part of the same thread)
- Being highly scalable
- Being public (accessible via public Internet) or private (accessible only via private channels such as virtual private networks—VPNs, corporate wide area networks—WANs and/or a companies' extranet)
- An API technical contract (basically its interface) may or may not be declared; however if done so, a variety of notations (many of which are still evolving) can be used. For example:
- Web Application Description Language (WADL): http://www.w3.org/Submission/wadl/
- RESTful API Modeling Language (RAML): http://raml.org
- Swagger: http://swagger.io
- API Blueprint: https://apiblueprint.org
Tip
A bit of history: APIs actually predate SOA by far. APIs (or a least the notion of creating application interfaces to interact with other applications) existed even in the mainframe days. However, the term API as we know it today really refers to web APIs as the term gained popularity during the mobile app revolution, especially as mobile app developers in their search for a lightweight alternative to the then popular SOAP/WSDL-based web services, started creating services using REST and JSON which eventually became known as RESTful APIs.
A basic definition of API Management is the adoption and adaptation of SOA Governance principles and tools in the context of managing the end-to-end lifecycle of an API and the community around it.
From the diagram (which is an extended version of Gartner's Application Services Governance) the following fundamental similarities and differences can be noted:
- The concept of Community Management is central to API Management, whereas in SOA Governance, although it was present, it was never a fundamental pillar.
Tip
By community, we mean all the personas (actors) that participate in the API ecosystem, from consumers of an API (app developers for example) to the creators of the API (developers) and administrators of the API platform.
- More focus has been given to the runtime management of the API. For this reason, API Management tools tend to provide a lot of insight into API runtime analytics.
- There is a lot more flexibility around how an API is defined and built. This is reflected by the fact that several notations are available to define an API (some of them listed earlier in the chapter).
- The notion of API economy becomes very relevant to the business as it provides an opportunity to monetize APIs' usage. This means that the business sees an API as another revenue stream.
Having said that, we can conclude that API Management extends SOA Governance objectives by focusing on:
- Productizing and externalizing information assets and business functionality via APIs: APIs should be handled as products in their own right that offer information assets and business functionality to customers (known and unknown).
- Community management: Management of the API community (external and internal) by providing a facility where different people (developers, designers, architects, operators, business partners) can collaborate.
Tip
One of the key tenets of API Management is the ability to manage a community of known and unknown people alike via a web portal that is usually publicly available (meaning via public Internet access). While this principle might not be true in all scenarios (that is, a company might want to make APIs available only to partners via an extranet), this is a generally accepted definition among API practitioners.
- Runtime lifecycle management: End-to-end management of an API through all of its phases. The API lifecycle starts during the creation of the API and ends when the API is retired. The typical phases are: creation, publishing, deprecation, and retirement.
- Runtime analytics and metering: Robust runtime analytics focused as much on consumer usage—metering (that is, total API calls, consumer SLAs, and others) and analytics as on platform statistics (API status, throughput, latency, and others).
- Continuous delivery: Having the ability to rapidly build, test and make APIs available for general use, and most importantly the continuous improvement of the API is fundamental in any API Management strategy and therefore API Management tooling. Having said that, adopting disciplines such as Development Operations (DevOps) as the main method to deliver APIs becomes a fundamental objective.
Note
This book will not cover DevOps in great detail as other books and articles are dedicated explicitly to this topic. This book, however, will touch on areas that are related to DevOps but in the context of SOA Governance and API Management.
- Global deployment models: APIs (or more specifically web APIs) were born in support of scalable and flexible mobile and web architectures. Web and mobile applications respect no geographical boundaries; however, resources that can be globally accessible via the Internet are exposed to issues such as network latency, bottlenecks, a single point of failure and language localizations, to name a few. Having said that, an objective of API Management should be to provide cloud-based multi-geography deployments with localized capabilities such as localized language and throttling.
- Web security: The topic of security is a broad and complex one as it is relevant for every layer of a technology stack. However, when talking about APIs one should not try to boil the ocean. The focus should be on threads that apply web and mobile applications such as the one listed in the Open Web Application Security Project (OWASP) Top 10 project.
Tip
Refer to:
OWASP top 10: https://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013
OWASP top 10 mobile risks: https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks
- Monetization: Give the business the ability to monetize APIs. The objective should be making APIs a new revenue stream for the business.