1. Introduction
APIs establish the digital business core. APIs define your business data, processes, and capabilities
that can be consumed across internal projects and external communities. In an increasingly connected
world, APIs are your core business product; exposing your valuable services across customer, partner,
and supplier channels.
This white paper will describe innovative digital business goals, outline transformative API oriented IT
initiatives, and present API management platform requirement categories. A companion evaluation
matrix spreadsheet details hundreds of evaluation criteria that you may use to score vendor
platforms.
2. Digital Business Goals
Every business is a digital business. Consumers, business partners, and employees expect timely,
round the clock access to business information, processes, and notifications. Successful companies
enable digital interactions and digital moments that transform business to business, business to
consumer, and business to employee relationships. A well-executed digital strategy empowers teams
to:
-
Accelerate business innovation
-
Craft new digital business models
-
Build new digital channels and ecosystems
2.1 Accelerate Business Innovation
Internal development teams, external partners, and third-party developers accelerate business
innovation by composing solutions from ready-made API building blocks. Because the API building
blocks are RESTful, secure, and conform to well-defined service level agreements, teams can trust the
availability and reliability of the published business capability. By tapping into ready-made APIs, teams
can focus on higher value, innovative business scenarios. The innovative business scenario can be an
incremental improvement or kickstart a disruptive new business venture.
Business innovation can improve customer intimacy, enhance customer experience, and drive
customer engagement.
Customer intimacy strengthens customer loyalty and positively influences customer lifetime value. By
analyzing customer purchase patterns, recommendations, and intent, companies better understand
the context driving customer behavior and sentiment. APIs enable a direct, intimate connection with
customers through mobile applications, sensor data, and well-integrated partner systems.
By connecting mobile apps with cloud APIs, business teams can introduce context-driven advice and
actions into the customer experience. Smart solutions can intelligently tailor recommendations and
product behavior that increases customer productivity, efficiency, and satisfaction. activity-driven
alerts and notifications increase customer engagement. By analyzing user interactions with your
product, your team can craft context driven recommendations and reminders.
Cloud APIs communicate real-time status and action triggers. Action triggers may prompt users to
explore unseen features, follow best practices, accept configuration recommendations, or perform
maintenance. By aggregating and analyzing telemetry information, teams can create products that
shorten periods between uses, increase usage duration, promote popular features, and improve the
user experience.
2.2 Craft New Digital Business Models
Instead of delivering static, monolithic products and services, APIs create an opportunity to whitelabel,
embed, and monetize business capabilities. Business teams are offering content brokers
and information hubs that share data aggregated from millions of devices and billions of customer
interactions. The aggregate dataset can help identify trends, structural market shifts, and economic
patterns.
2.3 Build New Channels and Ecosystems
By integrating third-party capabilities, rather than building and hosting the capability internally,
companies tap into an extended ecosystem of best-of-breed analytics, customer preference
repositories, social sentiment, and business capabilities (i.e. payment, digital marketing, shipment
expeditors). Teams are publishing APIs to tap into mobile application developers, external suppliers,
and third-party digital storefronts. For example, mobile application developers can connect the retailer
with mobile app customers and extend the reach and exposure of retail goods (especially in 'flash sale'
or 'sale liquidation' scenarios). Additionally, organizations can tightly integrate their business processes
with external suppliers and can use APIs to gauge product demand across the supply chain and
enhance product availability. A company may also use APIs to integrate with third-party organizations
and vendors who desire to white-label the business capability on their digital storefront or digital
property. The digital strategy is similar to a department store or shopping mall, which allocates floor
space and advertising to a specific vendor.
Successfully implementing API oriented technology strategies will advance your organization towards
digital business goals. Key technology strategies include
-
API-centric enterprise
-
API economy
-
Mobile and IoT
-
Service oriented architecture
-
Microservice architecture
-
API management
3.1 API-Centric Enterprise
API-centric enterprise organizations reach more customers and generate greater business activity.
APIs facilitate interconnecting business processes across an extended value chain. Partners,
suppliers, distributors, and customers can readily tap into a business capability offered as an API, and
increase business interaction over the API channel. API-centric enterprises move beyond destination
ecommerce to embrace decentralization, personalization, contextualization, gamification, and dynamic
distribution channels. Technology trends embracing these concepts include mobile, machine-tomachine,
person-to-person, and business-to-developer channels. In each case, APIs are the connecting
glue across distributed solution actors and components.
API-centric organizations take an outside-in approach to business. Instead of providing monolithic
products and services, APIs create an opportunity to white-label, embed, and monetize business
capabilities. Also, APIs provide an opportunity to become a content broker and information hub.
Internal development teams, external partners, and third-party developers accelerate business
innovation by composing solutions from ready-made API building blocks. Because the API building
blocks are RESTful, secure, and conform to well-defined service level agreements, teams can trust
the availability and reliability of the published business capability. By tapping into ready-made APIs,
teams can focus on delivering higher value, innovative business scenarios. Target innovative business
scenario can be an incremental improvement or kickstart a disruptive new business venture.
By integrating third-party capabilities, rather than building and hosting the capability internally,
companies tap into an extended ecosystem of best-of-breed analytics, customer preference
repositories, social sentiment, and business capabilities (i.e. payment, digital marketing, shipment
expeditors). Teams are publishing APIs to tap into mobile application developers, external suppliers,
and third-party digital storefronts. For example, mobile application developers can connect the retailer
with mobile app customers and extend the reach and exposure of retail goods (especially in ‘flash sale’
or ‘sale liquidation’ scenarios). Additionally, organizations can tightly integrate their business processes
with external suppliers and can use APIs to gauge product demand across the supply chain and
enhance product availability. A company may also use APIs to integrate with third-party organizations
and vendors who desire to white-label the business capability on their digital storefront or digital
property. The digital strategy is similar to a department store or shopping mall, which allocates floor
space and advertising to a specific vendor.
3.3 Mobile and Internet of Things
API-centric organizations take an outside-in, customer-first approach to business. They sit alongside
the customer, gauge surrounding environmental context, and enrich customer activities. By
monitoring customer actions, surrounding events, and progress towards goals, mobile or Internet of
Things (IoT) devices create an adaptive feedback channel that turns static products into smart, active
participants.
Mobile or IoT devices reside within a customer’s pocket, on their wrist, in their car, or embedded
within their home or business workplace. The devices collect location, environment, movement, and
activity information from embedded GPS sensors, cameras, accelerometers, thermometers, and
machine controllers. Because device sensors are ‘next to the action’, interconnected through APIs, and
interfaced with Internet Cloud services, businesses gain insight into customer interactions with their
product. Smart IoT and mobile solutions analyze customer interaction and context data to enhance
customer satisfaction, increase customer engagement, and tune subscription revenue models.
3.4 Service Oriented Architecture
APIs are a strategic component supporting your service oriented architecture initiative. To create an
architecture that effectively promotes re-use and sharing, teams should build a service environment
following ECD principles (i.e. externalization, consumerization, and democratization). APIs externalize
business capabilities. APIs democratize service development, and APIs consumerize service
consumption.
In many organizations, APIs proliferate (1,000s of APIs) and are minimally re-used. Because there is
often minimal communication, inefficient coordination, and a lack of trust, teams underutilize API
assets. Team members often find it difficult to understand who is consuming APIs, who is writing
re-usable APIs, and whether the API is scalable and secure. Without an agile process to find, explore,
evaluate, and subscribe to APIs, teams commonly re-build rather than re-use. The prevalent SOA
anti-patterns of Not Invented Here (NIH), tight coupling, and ‘build again’ are reinforced when teams
do not know about an API’s existence or cannot easily map API functionality to the needed business
capability. Exasperating the situation, bureaucratic red tape creates delays in being able to access
the API. Without reliable infrastructure to track usage, manage access, ensure quality of service, or
monetize the API asset, providers often restrict API consumers to private, internal team use.
API management solves structural trust, adoption, and collaboration challenges. To learn more, read
the "Promoting Service Re-use with API Management" white paper.
3.5 Microservice Architecture
When taking a micro-service design approach, teams divide business solutions into distinct, full-stack
business APIs owned by autonomous teams. A micro-service based application weaves multiple atomic
micro-services (exposed as APIs) into a holistic user experience. Unfortunately, traditional service
delivery models do not address unique micro-service demands for dynamic provisioning, service
composition, and service level management. A platform as a service (PaaS) and API management
environment is a perfect fit. Running micro-APIs on PaaS and API management infrastructure fabric
decreases solution fragility, reduces operational burden, and enhances developer productivity.
Publishing a naked API will result in run-time quality of service issues, inefficient community scaling,
and limited consumer adoption. A naked API is not monitored, managed, secured, documented, or
accessible via a self-service subscription portal.
When development teams publish APIs, they explicitly separate service interface from service
implementation. Managed API endpoints are lightweight proxies enforcing security, monitoring usage,
and shaping traffic. The API proxy enables a clear separation of concern between consumer interface
contract and back-end service implementation.
A managed API is
-
Actively advertised and subscribe-able
-
Available with an associated, published service-level agreement (SLA)
-
Secured, authenticated, authorized and protected
-
Monitored and monetized with analytics
4. Evaluating API Management Infrastructure
While all services should exhibit managed API characteristics, most service endpoints are deployed on
platforms that don't deliver management characteristics. By applying the API façade pattern, teams can
layer network addressable endpoints, monitor usage, enforce usage limits, shape traffic, and authorize
consumers. API management infrastructure should guide teams towards best practice in
-
API design and implementation
-
Securing Interactions
-
Publication and community engagement
-
Monitoring and run-time management
-
API lifecycle, policy, and community governance
-
API analytics
Additionally, to provide a scalable, high performance, shared infrastructure service, the API
management environment should exhibit a flexible, enterprise-scale solutions architecture.
4.1 Solutions Architecture
An API management platform must interface and integrate into your solutions architecture. The
DevOps and API consumer learning curve must be low. A flexible API management platform will
adjust to your project’s solution architecture requirements for scaling, identity management, security,
development lifecycle, and API branding. Evaluate API management platforms by their ability to
-
Deliver high quality of service
-
Easily deploy in your run-time environment
-
Integrates with core infrastructure platform services
-
Delivers platform APIs
Applying your organization’s corporate brand to the API portal will help make your API initiative stand
out from the crowd and enhance your company’s brand image. Evaluate if the API platform’s user
experience is pluggable, extensible, and themable. Determine if the platform delivers an intuitive
development experience for API creators, publishers, and consumers. Understand how your existing
DevOps and governance practices can be applied to API management activities. Key evaluation
categories include
-
Intuitive development experience
-
DevOps friendly
While many teams start API management platform adoption with a single API portal reaching out to
a single developer community, presenting a single brand, or connecting with a distribution channel,
efficiently scaling API across multiple communities or channels requires embedded support for
multi-tenancy. Multi-tenancy includes tenant branding, tenant administration, and tenant specific API
storefronts.. Evaluate platform cost versus reach by analyzing
-
Platform multi-tenancy support
-
Efficient pricing model and excellent support
To learn in-depth solution architecture evaluation criteria, review our evaluation matrix spreadsheet.
4.2 API Design and Implementation
APIs differ from backing services by design. APIs expose a RESTful, resource oriented facade that
enforces security and quality of service policies. Significant API creation activity categories include:
-
API design
-
API façade development
-
Service level definition
-
API Mediation
-
API documentation
-
API test
API management platform tooling should guide developers towards best practice API design, and
help developers create resource-oriented schema interface definitions, define location awareness
and geo-fences, generate client SDKs, and orchestrate back-end calls. The platform should help teams
generate and apply re-useable service level definitions that describe rate limits, subscription tiers,
and access control scopes. While mediation is usually better scaled in a separate run-time topology
tier, the API façade design tooling should assist in the end-to-end development process, which may
include defining API message processing actions using enterprise integration pattern (EIP) mediation
primitives
When teams can't understand how to use your API, they probably will go elsewhere. API
documentation facilities should enable teams to upload 'how to' guides, samples, message schemas,
and policy descriptions. The ability to auto-generate documentation from resource definition
files is extremely helpful, and full content management system capabilities help teams version
documentation resources.
API testing capabilities may span client consoles, API message debugging, sequence tracing, log
viewers, report generation, and test automation. Teams may quickly stand up mock-API responses and
specify sandbox, backing service URLs for rapid, agile development.
To learn in-depth API design and implementation evaluation criteria, review our evaluation matrix spreadsheet.
When exposing business capabilities to external parties and third-party developers, security is a
paramount concern. API management platform security capabilities overlap with service gateways,
firewalls, identity management, and access control components. Enterprise-ready platforms will
integrate with existing security infrastructure and distribute platform capabilities across appropriate
security zones. API management platforms may provide
-
Access control, authentication, and key management
-
Entitlement assertions
-
Attack prevention
-
Confidentiality, integrity, and privacy
-
Identity management
-
User management
Access control, authentication, entitlement assertions, and key management capabilities are based on
the OAuth2, Java Web Tokens (JWT), TLS, and SAML specifications. Both coarse grained access controls
(API level, method level) and fine grained access controls (resource scopes) enable teams to lock
down API access across multiple user profiles. Because APIs are usually externally facing, the platform
should provide the ability to publish APIs that are accessible across multiple tenants, anonymous
consumers, whitelisted and blacklisted IP addresses, and specific user roles.
While most API interactions will be authorized via tokens, token generation or refresh requires
authenticating the user, client device, or application. API management platforms should use standard
protocols (OpenID, SAML) and interface with third party cloud identity services (e.g. Google, Facebook)
or enterprise identity providers.
API management platforms may provide sophisticated key management for authentication credentials
and authorization tokens. The platform should provide the ability to automatically generate, revoke,
and refresh keys. The platform should associate keys with specific authorization scopes, API resources,
and API environments (i.e. development, sandbox, production).
Attack prevention includes stopping denial of service, malware, message injection, malicious scripting,
parameter fuzzing, and system overload attacks. The API management platform should complement
existing firewalls, security proxy servers, and secure enterprise intrusion management (SIEM) systems.
In addition to securing APIs, the platform should conform with enterprise security governance and
security compliance policies. Establishing trust relationships between network zones, gateways,
identity repositories, key managers, and backing services is an important implementation
consideration. The platform should follow enterprise approval workflow when granting API creation,
publication, deprecation, and retirement. Important additional workflow processes include developer
registration, user access, key generation, and API subscription.
To learn in-depth API security evaluation criteria, review our evaluation matrix spreadsheet.
API management platforms accelerate adoption and streamline API DevOp tasks. By incorporating
a collaboration space that encourages community participation and community management, API
management platforms actively engages internal and external developers. The collaboration space
establishes a feedback channel between API consumers and providers. The platform should increase
API adoption by helping teams
-
Streamline API publication and follow DevOps best practices
-
Engage API consumers and lower API adoption barriers
-
Actively manage API developer communitiess
-
Foster a thriving, business-oriented API economy
-
Streamline API DevOps publication tasks by integrating API lifecycle activities with run-time infrastructure.
The platform should help teams rapidly publish APIs to external consumers and partners, as well as
to internal users. Evaluate the process used to deploy APIs into the production environment, and
learn if the platform enables immediate publication via one-click deployment to API gateway. Review
administrative tasks required to manage service tiers and rate plans.
Engaging API developers and consumers is the most important API management platform activity.
The platform should provide a storefront that actively promotes available APIs and enables consumers
to easily find, subscribe, evaluate, and use APIs. The developer portal should create a compelling
user experience that delivers developer documentation, sandbox access to test APIs, developer onboarding,
API self-service subscription, and API test facilities. Consumer oriented analytics will help
external teams understand the value provided by API connections, and social walls and forums will
help teams learn from their peers.
API management platforms help teams foster API adoption by actively managing internal and
external communities. Rather than simply 'publish and forget to an unknown audience', community
management and social capabilities enable teams to interact with developers and API users.
Teams can increase the relevance of the API marketplace by personalizing and contextualizing API
presentation and listings. Teams can establish special purpose domains to brand the APIs across
specialized channels.
Creating a value web and business functions supporting a thriving API economy requires establishing
API business models, creating an API marketplace, and implementing a monetization strategy. API
management platforms tuned for the API economy deliver a business driven user experience that
helps teams brand APIs, understand API value, and adopt an API as a product perspective.
To learn in-depth API publication and engagement evaluation criteria, review our evaluation matrix spreadsheet.
Publishing unreliable or unavailable APIs will not increase engagement and foster a successful API
economy. API management platforms incorporate monitoring and management capabilities that
streamline DevOps activities, implement operational best practices, and enforce quality of service
(QoS) policies.
A comprehensive API management platform will support full-lifecycle activities including configuration
management, release, management, patch management, and service level management. Service level
management should be policy driven and enable high availability, reliability, and performance. The
platform should monitor API availability, response time, latency, and usage. Monitoring inputs should
drive notification alerts and auto-healing actions. Disaster recovery, compliance reporting, and API
run-time governance are also important platform focus areas.
To learn in-depth API monitoring and management evaluation criteria, review our evaluation matrix spreadsheet.
API governance is heavily influenced by IT business goals and objectives. Leading API governance
platforms provide analytics supporting the assessment of IT business value. The platform should
capture service tier subscription information, collects usage statistics, present productivity metric
dashboard views, and integrate with billing and payment systems.
API governance encompasses API subscriptions and API meta-data. Governance activities should
manage API meta-data. These activities may include rationalizing keyword tags used to categorize APIs
and facilitating content management on developer documentation. The governance process should
enforce design-time checkpoints before API publication.
An API management platform supporting comprehensive API governance will support the following
governance management categories:
- Meta-data management
- Service level management
- Version management
- Lifecycle management
- Usage management
- Portfolio management
To learn in-depth API monitoring and management evaluation criteria, review our evaluation matrix spreadsheet.
4.7 Analyze API Interactions
Adoption and usage are key API Economy performance metric categories. By understanding
API adoption and usage, API business owners and API architects can intelligently invest future
development resources, properly plan API infrastructure scale, and rationalize the API portfolio.
API analytic dashboards should help teams understand both a business and technical view of API
adoption, usage, and quality of service. API dashboards help teams ascertain the development
experience, validate security and service level compliance, quantify API brand value, and plan future
'API as a product' investments.
To learn in-depth API analytics evaluation criteria, review our evaluation matrix spreadsheet.
5. WSO2 API Management Platform Capabilities
The WSO2 API Management Platform delivers collaboration, security and identity, integration, service
level management, analytics, and enterprise governance capabilities (see Figure 1).
Figure 1: WSO2 API Management Platform Capabilities
To facilitate collaboration, API management platforms provide portals for API publishers and
consumers (see Figure 2). API publishers can easily provision their APIs, share documentation, manage
API keys, and gather feedback on APIs features, quality and usage. API developers consuming APIs
can rapidly find relevant APIs, discover APIs functionality, test APIs online, subscribe to APIs, evaluate
them, generate access keys, and interact with API publishers.
Figure 2: WSO2 API Management Platform Capabilities
Security capabilities include a key server (OAuth Server) tuned for API use cases. Teams can extend
core key and token management to address single sign-on (SSO) and social login with federated
identities. The platform may provide coarse-grained API authorization based on roles, and also
provide fine-grained authorization using OAuth scopes.
The API gateway enforces security, manages service level, and performs basic mediation (e.g.
message transformation, routing). Teams can extend the platform to include a full integration engine,
application adapters, pre-built Cloud connectors. When teams extend the WSO2 API Management
Platform with the WSO2 Enterprise Service Bus (ESB), they gain a unique advantage. Teams can readily
move integration logic between the gateway tier and the ESB tier. As traffic scales or integration flow
logic becomes complex, teams can offload integration processing from the gateway tier to the ESB tier.
Teams use API analytics to optimize their digital business strategy and demonstrate API value.
Analytics illustrates the business value of API subscribers, service tiers, monetization plans, and
security policies. By separating API meta-data from API code, teams can query the API meta-data
repository to identify popular APIs, consumers generating significant revenue, or heavily subscribed
service tiers.
Enterprise governance helps teams securely and safely build, publish, and consume APIs. The
WSO2 API Management Platform streamlines lifecycle management practices, validates developers
who onboard via on-demand self-service channels, and rate limits or throttles traffic to enforce
monetization strategies and ensure QoS.