Introducing WSO2 API Manager 3.1

Today, API-driven business models are increasing in popularity due to the rise of digital transformation in service-based businesses. Business owners are competing to reap the benefits of this trend because they have seen the future of API-driven business models. The API economy has become the next big thing in the business world. This is because APIs are used to create sellable products and services that would otherwise take a considerable amount of effort to develop. APIs also help to integrate different services and present more solutions to consumers.

In this context, the demand for API Management solutions becomes inevitable. Businesses are demanding user-friendly, secure, and scalable API Management solutions more than ever before. This is where WSO2 API Manager provides a powerful solution. WSO2 API Manager can handle any kind of complex API Management use-case as it manages the complete life cycle of APIs. At the same time, the deployment flexibility (on-prem, cloud, and hybrid) adds more value to it.

We’re pleased to let you know that the latest version of WSO2 API Manager is here. WSO2 API Manager 3.1 is empowered with in-demand, widely useful features and improvements. Learn more about each of the product enhancements in this article.

What's New?

Integrating AWS Lambda for API Management

AWS Lambda allows you to run code without provisioning or managing servers. Amazon exposes AWS Lambda functions through a variety of services such as Amazon S3 and Amazon DynamoDB, processing streaming data stored in Kinesis and AWS SDK. Although AWS Lambda runs the code in response to HTTP requests using Amazon's API Gateway, in order to integrate Lambda functions to APIs through an API Manager you need to use AWS SDK.

WSO2 API Manager now has the ability to invoke AWS Lambda functions using either stored AWS Credentials or IAM role-supplied temporary AWS Credentials, which is ideal if there is an instance of WSO2 API Manager running on AWS EC2 instances and you also want to manage other AWS services using this new feature.

AWS Lambda endpoint configuration

The main benefit of this AWS Lambda integration with WSO2 API Manager is that it allows organizations heavily invested in AWS architecture to take advantage of the serverless nature of AWS Lambda functions. This provides a big cost-effective since it eliminates the need to splurge on systems engineering in typical server architecture and they incur costs only against the time that the AWS Lambda functions run. Another benefit is the ease of scaling backend services because AWS Lambda scales automatically to allow all incoming traffic depending on the need at any given time.

API Security Audit Integration

API Security is a key concern given the continuous rise in the use of APIs. This is evident by the fact that over 83% of all web traffic is now API traffic. This is why WSO2 API Manager has partnered with 42Crunch, an enterprise API Security platform, to provide the ability to conduct a security audit on an API Definition and obtain a detailed audit report to guide users to identify and eliminate any existing security loopholes in an API.

The audit report generated provides a comprehensive analysis of issues in an API Definition by splitting the issues into 3 categories: OpenAPI Format Requirements, Security, and Data Validation. Scores are attached to each of these categories to make the report more user-friendly. The impact each issue has on the overall score of the respective category is shown to the user and the severity level is also displayed for further emphasis.

Audit score for a given API

Furthermore, the Security Audit Report allows API Developers to check for issues in various aspects of an API Definition at the design stage of an API, which is incredibly helpful to identify flaws in an API even before it is put to use. This reduces the possibilities of attackers taking advantage of common, but often overlooked, vulnerabilities that are found by the Security Audit feature.

If you’re a developer, these reports provide useful information on each issue such as the exact point where the vulnerability exists in the API Definition (if available) and you are pointed to an encyclopedia that contains details on what the vulnerability is, how it can be exploited, and fixed. With this guidance, developers can use the built-in Swagger Editor in WSO2 API Manager to edit the API Definition. Upon saving the edits, they can run the Security Audit again on the API in order to see any improvements in the score.

Recommendation System for the API Store

The WSO2 API Manager Developer Portal is a marketplace for APIs. API publishers (Sellers) will publish their APIs through the Publisher and those APIs will be listed in the developer portal. They can find the best audience for the API, who will be interested in the APIs capabilities, and use it in their applications. Application Developers (Consumers) can log in to the portal to choose and subscribe to the APIs to leverage in their applications.

Recommended APIs

The WSO2 API Manager team is presenting a new feature with the use of AI technologies. This will analyze the behavior of the developer application that he or she is developing and suggest a list of new APIs that are not yet subscribed by the user but might be useful for the project. These suggested APIs will then be listed in the Developer Portal, as illustrated in the above image.

API Categories

WSO2 API Manager 3.1 introduces an API Categories feature to enable API providers to categorize their APIs. The API Manager developer portal will display APIs under their respective categories. This could have been achieved with the tag-wise grouping feature in previous WSO2 API Manager versions, but from a user experience perspective, the process was quite cumbersome. API tags had to be defined with the suffix '-group' in order for them to be treated as tag-wise groups in the developer portal.

API categorization in the developer portal

The tag-wise mode had to be enabled in order to display APIs in a grouped manner on the developer portal. With API categories, there will be no constraints on naming and the developer portal will display categories whenever they are available.

API Mocking Feature

A prototype implementation in WSO2 API Manager gives users the ability to prototype APIs with inline scripts for testing purposes. This enables subscribers to test APIs without subscriptions or monetizations, allowing them to provide feedback to improve APIs. Publishers can use this to make changes to the APIs requested by users. Previously, users were presented with a default script which then had to be edited in order to allow the resource to return a response in the developer portal. This meant that the inline script of each resource had to be edited manually.

API prototype implementation

Now, prototype implementation is equipped with mock payload generation. Users can prototype an API using the inbuilt javascript engine without writing the javascript implementation for each resource manually. The inline script will be automatically generated for each response code and payload type (JSON and/or XML) according to the response body example values or response schemas defined in the API Definition. If the API definition contains mock responses for more than one response code per-resource, the payloads will be presented as multiple payloads but the “mc.setPayloadJson or mc.setPayloadXML” will only contain the lowest response code value. Furthermore, inline scripts of each resource can be further edited by users to suit the required outcome better. Once the generated mock payload scripts have been saved, the API can be deployed as a prototype and tested in the developer portal.

WSO2 API Microgateway

WSO2 API Microgateway is enabled with tracing capabilities that follow open tracing standards and provide metrics that can be visualized using dashboards. Both tracing and metrics dashboard help to isolate production system issues and failures, and help to resolve them quickly. Adding another improvement, gRPC APIs can be also used with WSO2 API Microgateway. Organizations may have internal microservices that are implemented using gRPC and use gRPC for service to service communication. These services can now be securely exposed via the microgateway directly as gRPC services.

We have also introduced a feature for writing java interceptors, enabling developers to perform message transformations and mediations for their APIs. Other introductions include API key-based authentication and multiple JWT issuer support. These features increase the security capabilities of WSO2 API Microgateway. Several security schemes (such as oauth2, basic, jwt) can be combined with mutual SSL to provide enhanced security for APIs. APIs in the financial sector may require this type of two-layered security in the transport and application layers. Multiple JWT issuers enable the gateway to work with different types of token issuing services. Certain organizations may use different identity and access management services. WSO2 API Microgateway can connect with external key managers with standard introspect to validate oauth2 (non-JWT) tokens as well.

API Operator for Kubernetes

API Operator is an extension for Kubernetes which communicates with Kubernetes API server to deploy APIs on Kubernetes cluster in the most convenient way. It makes APIs a first-class citizen in the Kubernetes ecosystem. By giving a Swagger definition to K8s, you can deploy a microgateway for your microservices in a few minutes.

As microservices are largely deployed on Kubernetes clusters, the need for exposing them as APIs (managed APIs) is an important factor for application developers and business owners. Since the API Operator makes APIs a first-class citizen in the Kubernetes ecosystem, this makes deployment of APIs easier on the Kubernetes cluster with the API definition and the API controller (apictl) CLI tool. Hence, developers do not have to worry about API management logic, deployment-related details, scalability, etc. They can focus solely on business logic. It also simplifies the promotion of APIs from the development environment to the production environment. The API Operator is ideal for anyone who is looking for a fast, scalable, robust API Management solution on a Kubernetes cluster that both exposes your microservices and manages APIs conveniently.

GraphQL Try out Console for Developer Portal

In the previous version of WSO2 API-Manager, the swagger UI was used to try out GraphQL APIs. Because of its limited functionalities, users were not able to clearly understand the GraphQL schema. It was also difficult to try out a GraphQL API using the old swagger UI console. To overcome these issues, WSO2 API Manager now comes with a GraphiQL UI that can be used to try out GraphQL APIs.

GraphQL try-out console

This streamlines your interactions with your GraphQL APIs. It also provides more user-friendly features like interactive schema documentation, syntax highlighting, real-time error highlighting and reporting for queries and variables, automatic query completion, and automatic field addition to queries. Users do not have to worry about how they can construct these queries exactly. With the GraphQL explorer, it is much easier to construct full queries by clicking through available fields and inputs without the repetitive process of typing these queries manually.

WSO2 API Manager Analytics

WSO2 API Manager Analytics is mainly used for monitoring purposes. It provides a variety of options for both API developers and subscribers to monitor, gain accurate knowledge of, and understand APIs and API usage. The new features of API Manager Analytics 3.1 are:

PDF Report Generation

Many of our users have asked us to introduce a feature that they can use to generate reports of statistical data. This release includes the first cut of the implementation of this feature and it facilitates the generation of the Monthly API Usage Report. You can access this feature via the WSO2 API Manager Admin dashboard. Users have the flexibility to choose the year and month for report generation. Furthermore, the default implementation of this feature can be extended if the user's organization requires different data than the ones provided by the default report.

Widget Generator Tool

This feature makes it easier to implement your own custom widgets and use them across dashboards. Furthermore, this feature provides a widget generator tool to automatically generate the widget skeleton by taking the user preferences through a command-line tool and guiding the user until the widget deployment is in the dashboard.

GraphQL Analytics

GraphQL Analytics requirements differ from standard API analytics. We have added some improvements to the existing charts to facilitate viewing statistics for GraphQL operations. A single API call for a GraphQL API can have multiple operations associated with it. With this release, analytics charts will have the in-built capability to filter these API calls by GraphQL operation.

API Manager Analytics Improvements

Custom Data Publishing via a Sequence

Gateway component publishes attributes related to each API call to WSO2 Analytics Server. These details are published in the form of events and then summarized and persisted in the database. But all the information related to the request is not published to WSO2 Analytics Server by default. This feature facilitates the publication of custom attributes related to an API call for later analysis. Users can engage a custom mediation sequence in a request or response path depending on their requirements.

White Labeling Dashboard for Tenants

System admins can now use an easier approach when white labeling the analytics dashboard by changing the logo image and the favicon. System admins do not need to have React, CSS, or HTML knowledge for this customization. The user has to place the required images inside the respective tenant folder and update the directives in the configuration file so that the server will select those and display them based on the logged-in tenant.

Try It out Today

Now it’s time for you to explore these features for yourself. WSO2 API Manager documentation has all the information that you need. Download the product and try it out, risk-free. Moreover, if you need any help, feel free to join our Slack channel and follow us on Twitter.