API management is about selectively, securely, and conveniently exposing internal functionality to the outside world. Quite often external consumption model and internal representation of APIs do not match and this is when API gateways shine efficiently translating one representation into the other on the fly. Exposing SOAP web-services of internal enterprise systems as lightweight external REST APIs is a very frequent case of that. Here's what it looks like:
- External REST API is called. Parameters are typically passed as parts of the URL path, query parameters, headers, or JSON payload. Authentication typically happens via OAuth2.
- API gateway receives the call, checks OAuth keys, enforces various policies such as throttling and scopes, records the call for analytics and monetization purposes, and creates a SOAP call with the new payload based on expected format and parameters, then passes the call to the backend.
- The backend would typically use some other form of authentication such as basic or digest authentication, mutual SSL, and IP whitelisting.
- When the backend responds, the gateway would do another transformation of the response to the format that the web or mobile client expects - typically JSON.