28 Jul, 2022 | 3 min read

Introducing Choreo Internal APIs

  • Menaka Jayawardena
  • Associate Technical Lead - WSO2

Photo by Donny Jiang on Unsplash


Modern cloud native applications must communicate with others to provide complete business functionality to end users. Here are a couple of examples. An order processing service needs to invoke an inventory management service to update its stock inventory details, while a weather forecast application invokes an API to get location information. In both scenarios, there can be numerous APIs which are invoked internally without the knowledge of the end user.

Sometimes, these APIs expose sensitive business information. Exposing these apps to the internet could impose severe security risks. For example, a user with access to the organization’s developer portal could generate an access token, invoke the organization’s API, and get access to confidential data. This is where internal APIs come into play.

Internal APIs are REST APIs developed and deployed in Choreo, that are not exposed to end users over the internet. These APIs can only be accessed from another API deployed in Choreo and are deployed as fully managed APIs providing the full spectrum of API management capabilities such as lifecycle management, observability, throttling, and security.

Let’s take an example of a simple order processing service, which handles customer orders. The order processing service must update the inventory through its inventory management service. 

Figure 1: Order Processing Service Communication

As shown in Figure 1, once the user sends the order request, the order API performs additional requests to several services to complete the initial request. The user only interacts with the Order API, and all other services are not exposed or cannot be accessed directly by the user. This ensures the security of the transaction since some services handle sensitive information of the user and organization, which may cause serious security threats if any third party is able to access this information. But with an internal API approach, no external party could access this information, since all of these transactions occur within Choreo.

There can be APIs which do not provide any business value to users. For example, the end user who places an order does not need to know where the item is located. But, at the time the order is processed, this information must be sent to the correct warehouse. Knowing the item location does not provide a direct business value to the user, but this is crucial for the order processing service to successfully complete the customer request. Having this inventory service exposed as a public API would reveal unnecessary information to users and add an extra burden to the API development team to block access to the API, manage traffic, strengthen security efforts, etc. Exposing this service as an internal API would minimize these unnecessary tasks and help developers to focus on actual business functions.

There are several other advantages of internal APIs in Choreo. 

  • Internal APIs are managed APIs. All the features of API management (rate limiting, security, etc.) are readily available, facilitating organizations to impose access limits across their APIs.
  • Observability and API insights are also available, enabling organizations to monitor the usage of their APIs, obtain performance information, etc. 
  • Private Connectors can be published for internal APIs, which are only visible to the users of the organization, allowing the developers to easily integrate APIs. 
  • Sometimes, it could be beneficial to expose the API to internal users for testing before making it available for the public, helping to identify and fix issues early.

To learn more about how to work with Internal APIs, follow this tutorial.


Modern organizations use several APIs to fulfill critical business functions. All these APIs should not be exposed online. With the support of managed internal APIs in Choreo, organizations can now develop the functionalities required for mission critical business functions securely and still have all the key API management capabilities.