API Management Platform Technical Evaluation Framework

APIs establish the digital business core. APIs define your business data, processes, and capabilities that can be consumed across internal projects and external communities. In an increasingly connected world, APIs are your core business product; exposing your valuable services across customer, partner, and supplier channels.

This white paper will describe innovative digital business goals, outline transformative API oriented IT initiatives, and present API management platform requirement categories. A companion evaluation matrix spreadsheet details hundreds of evaluation criteria that you may use to score vendor platforms.

Every business is a digital business. Consumers, business partners, and employees expect timely, round the clock access to business information, processes, and notifications. Successful companies enable digital interactions and digital moments that transform business to business, business to consumer, and business to employee relationships. A well-executed digital strategy empowers teams to:

• Accelerate business innovation
• Craft new digital business models
• Build new digital channels and ecosystems

Internal development teams, external partners, and third-party developers accelerate business innovation by composing solutions from ready-made API building blocks. Because the API building blocks are RESTful, secure, and conform to well-defined service level agreements, teams can trust the availability and reliability of the published business capability. By tapping into ready-made APIs, teams can focus on higher value, innovative business scenarios. The innovative business scenario can be an incremental improvement or kickstart a disruptive new business venture.

Business innovation can improve customer intimacy, enhance customer experience, and drive customer engagement.

Customer intimacy strengthens customer loyalty and positively influences customer lifetime value. By analyzing customer purchase patterns, recommendations, and intent, companies better understand the context driving customer behavior and sentiment. APIs enable a direct, intimate connection with customers through mobile applications, sensor data, and well-integrated partner systems.

By connecting mobile apps with cloud APIs, business teams can introduce context-driven advice and actions into the customer experience. Smart solutions can intelligently tailor recommendations and product behavior that increases customer productivity, efficiency, and satisfaction. activity-driven alerts and notifications increase customer engagement. By analyzing user interactions with your product, your team can craft context driven recommendations and reminders.

Cloud APIs communicate real-time status and action triggers. Action triggers may prompt users to explore unseen features, follow best practices, accept configuration recommendations, or perform maintenance. By aggregating and analyzing telemetry information, teams can create products that shorten periods between uses, increase usage duration, promote popular features, and improve the user experience.

Instead of delivering static, monolithic products and services, APIs create an opportunity to whitelabel, embed, and monetize business capabilities. Business teams are offering content brokers and information hubs that share data aggregated from millions of devices and billions of customer interactions. The aggregate dataset can help identify trends, structural market shifts, and economic patterns.

By integrating third-party capabilities, rather than building and hosting the capability internally, companies tap into an extended ecosystem of best-of-breed analytics, customer preference repositories, social sentiment, and business capabilities (i.e. payment, digital marketing, shipment expeditors). Teams are publishing APIs to tap into mobile application developers, external suppliers, and third-party digital storefronts. For example, mobile application developers can connect the retailer with mobile app customers and extend the reach and exposure of retail goods (especially in 'flash sale' or 'sale liquidation' scenarios). Additionally, organizations can tightly integrate their business processes with external suppliers and can use APIs to gauge product demand across the supply chain and enhance product availability. A company may also use APIs to integrate with third-party organizations and vendors who desire to white-label the business capability on their digital storefront or digital property. The digital strategy is similar to a department store or shopping mall, which allocates floor space and advertising to a specific vendor.

Successfully implementing API oriented technology strategies will advance your organization towards digital business goals. Key technology strategies include

• API-centric enterprise
• API economy
• Mobile and IoT
• Service oriented architecture
• Microservice architecture
• API management

API-centric enterprise organizations reach more customers and generate greater business activity. APIs facilitate interconnecting business processes across an extended value chain. Partners, suppliers, distributors, and customers can readily tap into a business capability offered as an API, and increase business interaction over the API channel. API-centric enterprises move beyond destination ecommerce to embrace decentralization, personalization, contextualization, gamification, and dynamic distribution channels. Technology trends embracing these concepts include mobile, machine-tomachine, person-to-person, and business-to-developer channels. In each case, APIs are the connecting glue across distributed solution actors and components.

API-centric organizations take an outside-in approach to business. Instead of providing monolithic products and services, APIs create an opportunity to white-label, embed, and monetize business capabilities. Also, APIs provide an opportunity to become a content broker and information hub.

Internal development teams, external partners, and third-party developers accelerate business innovation by composing solutions from ready-made API building blocks. Because the API building blocks are RESTful, secure, and conform to well-defined service level agreements, teams can trust the availability and reliability of the published business capability. By tapping into ready-made APIs, teams can focus on delivering higher value, innovative business scenarios. Target innovative business scenario can be an incremental improvement or kickstart a disruptive new business venture.

By integrating third-party capabilities, rather than building and hosting the capability internally, companies tap into an extended ecosystem of best-of-breed analytics, customer preference repositories, social sentiment, and business capabilities (i.e. payment, digital marketing, shipment expeditors). Teams are publishing APIs to tap into mobile application developers, external suppliers, and third-party digital storefronts. For example, mobile application developers can connect the retailer with mobile app customers and extend the reach and exposure of retail goods (especially in ‘flash sale’ or ‘sale liquidation’ scenarios). Additionally, organizations can tightly integrate their business processes with external suppliers and can use APIs to gauge product demand across the supply chain and enhance product availability. A company may also use APIs to integrate with third-party organizations and vendors who desire to white-label the business capability on their digital storefront or digital property. The digital strategy is similar to a department store or shopping mall, which allocates floor space and advertising to a specific vendor.

API-centric organizations take an outside-in, customer-first approach to business. They sit alongside the customer, gauge surrounding environmental context, and enrich customer activities. By monitoring customer actions, surrounding events, and progress towards goals, mobile or Internet of Things (IoT) devices create an adaptive feedback channel that turns static products into smart, active participants.

Mobile or IoT devices reside within a customer’s pocket, on their wrist, in their car, or embedded within their home or business workplace. The devices collect location, environment, movement, and activity information from embedded GPS sensors, cameras, accelerometers, thermometers, and machine controllers. Because device sensors are ‘next to the action’, interconnected through APIs, and interfaced with Internet Cloud services, businesses gain insight into customer interactions with their product. Smart IoT and mobile solutions analyze customer interaction and context data to enhance customer satisfaction, increase customer engagement, and tune subscription revenue models.

APIs are a strategic component supporting your service oriented architecture initiative. To create an architecture that effectively promotes re-use and sharing, teams should build a service environment following ECD principles (i.e. externalization, consumerization, and democratization). APIs externalize business capabilities. APIs democratize service development, and APIs consumerize service consumption.

In many organizations, APIs proliferate (1,000s of APIs) and are minimally re-used. Because there is often minimal communication, inefficient coordination, and a lack of trust, teams underutilize API assets. Team members often find it difficult to understand who is consuming APIs, who is writing re-usable APIs, and whether the API is scalable and secure. Without an agile process to find, explore, evaluate, and subscribe to APIs, teams commonly re-build rather than re-use. The prevalent SOA anti-patterns of Not Invented Here (NIH), tight coupling, and ‘build again’ are reinforced when teams do not know about an API’s existence or cannot easily map API functionality to the needed business capability. Exasperating the situation, bureaucratic red tape creates delays in being able to access the API. Without reliable infrastructure to track usage, manage access, ensure quality of service, or monetize the API asset, providers often restrict API consumers to private, internal team use.

API management solves structural trust, adoption, and collaboration challenges. To learn more, read the "Promoting Service Re-use with API Management" white paper.

When taking a micro-service design approach, teams divide business solutions into distinct, full-stack business APIs owned by autonomous teams. A micro-service based application weaves multiple atomic micro-services (exposed as APIs) into a holistic user experience. Unfortunately, traditional service delivery models do not address unique micro-service demands for dynamic provisioning, service composition, and service level management. A platform as a service (PaaS) and API management environment is a perfect fit. Running micro-APIs on PaaS and API management infrastructure fabric decreases solution fragility, reduces operational burden, and enhances developer productivity.

Publishing a naked API will result in run-time quality of service issues, inefficient community scaling, and limited consumer adoption. A naked API is not monitored, managed, secured, documented, or accessible via a self-service subscription portal.

When development teams publish APIs, they explicitly separate service interface from service implementation. Managed API endpoints are lightweight proxies enforcing security, monitoring usage, and shaping traffic. The API proxy enables a clear separation of concern between consumer interface contract and back-end service implementation.

A managed API is

• Actively advertised and subscribe-able
• Available with an associated, published service-level agreement (SLA)
• Secured, authenticated, authorized and protected
• Monitored and monetized with analytics

While all services should exhibit managed API characteristics, most service endpoints are deployed on platforms that don't deliver management characteristics. By applying the API façade pattern, teams can layer network addressable endpoints, monitor usage, enforce usage limits, shape traffic, and authorize consumers. API management infrastructure should guide teams towards best practice in

• API design and implementation
• Securing Interactions
• Publication and community engagement
• Monitoring and run-time management
• API lifecycle, policy, and community governance
• API analytics

Additionally, to provide a scalable, high performance, shared infrastructure service, the API management environment should exhibit a flexible, enterprise-scale solutions architecture.

An API management platform must interface and integrate into your solutions architecture. The DevOps and API consumer learning curve must be low. A flexible API management platform will adjust to your project’s solution architecture requirements for scaling, identity management, security, development lifecycle, and API branding. Evaluate API management platforms by their ability to

• Deliver high quality of service
• Easily deploy in your run-time environment
• Integrates with core infrastructure platform services
• Delivers platform APIs

Applying your organization’s corporate brand to the API portal will help make your API initiative stand out from the crowd and enhance your company’s brand image. Evaluate if the API platform’s user experience is pluggable, extensible, and themable. Determine if the platform delivers an intuitive development experience for API creators, publishers, and consumers. Understand how your existing DevOps and governance practices can be applied to API management activities. Key evaluation categories include

• Intuitive development experience
• DevOps friendly

While many teams start API management platform adoption with a single API portal reaching out to a single developer community, presenting a single brand, or connecting with a distribution channel, efficiently scaling API across multiple communities or channels requires embedded support for multi-tenancy. Multi-tenancy includes tenant branding, tenant administration, and tenant specific API storefronts.. Evaluate platform cost versus reach by analyzing

• Platform multi-tenancy support
• Efficient pricing model and excellent support

To learn in-depth solution architecture evaluation criteria, review our evaluation matrix spreadsheet.

APIs differ from backing services by design. APIs expose a RESTful, resource oriented facade that enforces security and quality of service policies. Significant API creation activity categories include:

• API design
• API façade development
• Service level definition
• API Mediation
• API documentation
• API test

API management platform tooling should guide developers towards best practice API design, and help developers create resource-oriented schema interface definitions, define location awareness and geo-fences, generate client SDKs, and orchestrate back-end calls. The platform should help teams generate and apply re-useable service level definitions that describe rate limits, subscription tiers, and access control scopes. While mediation is usually better scaled in a separate run-time topology tier, the API façade design tooling should assist in the end-to-end development process, which may include defining API message processing actions using enterprise integration pattern (EIP) mediation primitives

When teams can't understand how to use your API, they probably will go elsewhere. API documentation facilities should enable teams to upload 'how to' guides, samples, message schemas, and policy descriptions. The ability to auto-generate documentation from resource definition files is extremely helpful, and full content management system capabilities help teams version documentation resources.

API testing capabilities may span client consoles, API message debugging, sequence tracing, log viewers, report generation, and test automation. Teams may quickly stand up mock-API responses and specify sandbox, backing service URLs for rapid, agile development.

To learn in-depth API design and implementation evaluation criteria, review our evaluation matrix spreadsheet.

When exposing business capabilities to external parties and third-party developers, security is a paramount concern. API management platform security capabilities overlap with service gateways, firewalls, identity management, and access control components. Enterprise-ready platforms will integrate with existing security infrastructure and distribute platform capabilities across appropriate security zones. API management platforms may provide

• Access control, authentication, and key management
• Entitlement assertions
• Attack prevention
• Confidentiality, integrity, and privacy
• Identity management
• User management

Access control, authentication, entitlement assertions, and key management capabilities are based on the OAuth2, Java Web Tokens (JWT), TLS, and SAML specifications. Both coarse grained access controls (API level, method level) and fine grained access controls (resource scopes) enable teams to lock down API access across multiple user profiles. Because APIs are usually externally facing, the platform should provide the ability to publish APIs that are accessible across multiple tenants, anonymous consumers, whitelisted and blacklisted IP addresses, and specific user roles.

While most API interactions will be authorized via tokens, token generation or refresh requires authenticating the user, client device, or application. API management platforms should use standard protocols (OpenID, SAML) and interface with third party cloud identity services (e.g. Google, Facebook) or enterprise identity providers.

API management platforms may provide sophisticated key management for authentication credentials and authorization tokens. The platform should provide the ability to automatically generate, revoke, and refresh keys. The platform should associate keys with specific authorization scopes, API resources, and API environments (i.e. development, sandbox, production).

Attack prevention includes stopping denial of service, malware, message injection, malicious scripting, parameter fuzzing, and system overload attacks. The API management platform should complement existing firewalls, security proxy servers, and secure enterprise intrusion management (SIEM) systems.

In addition to securing APIs, the platform should conform with enterprise security governance and security compliance policies. Establishing trust relationships between network zones, gateways, identity repositories, key managers, and backing services is an important implementation consideration. The platform should follow enterprise approval workflow when granting API creation, publication, deprecation, and retirement. Important additional workflow processes include developer registration, user access, key generation, and API subscription.

To learn in-depth API security evaluation criteria, review our evaluation matrix spreadsheet.

API management platforms accelerate adoption and streamline API DevOp tasks. By incorporating a collaboration space that encourages community participation and community management, API management platforms actively engages internal and external developers. The collaboration space establishes a feedback channel between API consumers and providers. The platform should increase API adoption by helping teams

• Streamline API publication and follow DevOps best practices
• Engage API consumers and lower API adoption barriers
• Actively manage API developer communitiess
• Foster a thriving, business-oriented API economy
• Streamline API DevOps publication tasks by integrating API lifecycle activities with run-time infrastructure.

The platform should help teams rapidly publish APIs to external consumers and partners, as well as to internal users. Evaluate the process used to deploy APIs into the production environment, and learn if the platform enables immediate publication via one-click deployment to API gateway. Review administrative tasks required to manage service tiers and rate plans.

Engaging API developers and consumers is the most important API management platform activity. The platform should provide a storefront that actively promotes available APIs and enables consumers to easily find, subscribe, evaluate, and use APIs. The developer portal should create a compelling user experience that delivers developer documentation, sandbox access to test APIs, developer onboarding, API self-service subscription, and API test facilities. Consumer oriented analytics will help external teams understand the value provided by API connections, and social walls and forums will help teams learn from their peers.

API management platforms help teams foster API adoption by actively managing internal and external communities. Rather than simply 'publish and forget to an unknown audience', community management and social capabilities enable teams to interact with developers and API users. Teams can increase the relevance of the API marketplace by personalizing and contextualizing API presentation and listings. Teams can establish special purpose domains to brand the APIs across specialized channels.

Creating a value web and business functions supporting a thriving API economy requires establishing API business models, creating an API marketplace, and implementing a monetization strategy. API management platforms tuned for the API economy deliver a business driven user experience that helps teams brand APIs, understand API value, and adopt an API as a product perspective.

To learn in-depth API publication and engagement evaluation criteria, review our evaluation matrix spreadsheet.

Publishing unreliable or unavailable APIs will not increase engagement and foster a successful API economy. API management platforms incorporate monitoring and management capabilities that streamline DevOps activities, implement operational best practices, and enforce quality of service (QoS) policies.

A comprehensive API management platform will support full-lifecycle activities including configuration management, release, management, patch management, and service level management. Service level management should be policy driven and enable high availability, reliability, and performance. The platform should monitor API availability, response time, latency, and usage. Monitoring inputs should drive notification alerts and auto-healing actions. Disaster recovery, compliance reporting, and API run-time governance are also important platform focus areas.

To learn in-depth API monitoring and management evaluation criteria, review our evaluation matrix spreadsheet.

API governance is heavily influenced by IT business goals and objectives. Leading API governance platforms provide analytics supporting the assessment of IT business value. The platform should capture service tier subscription information, collects usage statistics, present productivity metric dashboard views, and integrate with billing and payment systems.

API governance encompasses API subscriptions and API meta-data. Governance activities should manage API meta-data. These activities may include rationalizing keyword tags used to categorize APIs and facilitating content management on developer documentation. The governance process should enforce design-time checkpoints before API publication.

An API management platform supporting comprehensive API governance will support the following governance management categories:

• Meta-data management
• Service level management
• Version management
• Lifecycle management
• Usage management
• Portfolio management

To learn in-depth API monitoring and management evaluation criteria, review our evaluation matrix spreadsheet.

Adoption and usage are key API Economy performance metric categories. By understanding API adoption and usage, API business owners and API architects can intelligently invest future development resources, properly plan API infrastructure scale, and rationalize the API portfolio.

API analytic dashboards should help teams understand both a business and technical view of API adoption, usage, and quality of service. API dashboards help teams ascertain the development experience, validate security and service level compliance, quantify API brand value, and plan future 'API as a product' investments.

To learn in-depth API analytics evaluation criteria, review our evaluation matrix spreadsheet.

The WSO2 API Management Platform delivers collaboration, security and identity, integration, service level management, analytics, and enterprise governance capabilities (see Figure 1).

To facilitate collaboration, API management platforms provide portals for API publishers and consumers (see Figure 2). API publishers can easily provision their APIs, share documentation, manage API keys, and gather feedback on APIs features, quality and usage. API developers consuming APIs can rapidly find relevant APIs, discover APIs functionality, test APIs online, subscribe to APIs, evaluate them, generate access keys, and interact with API publishers.

Security capabilities include a key server (OAuth Server) tuned for API use cases. Teams can extend core key and token management to address single sign-on (SSO) and social login with federated identities. The platform may provide coarse-grained API authorization based on roles, and also provide fine-grained authorization using OAuth scopes.

The API gateway enforces security, manages service level, and performs basic mediation (e.g. message transformation, routing). Teams can extend the platform to include a full integration engine, application adapters, pre-built Cloud connectors. When teams extend the WSO2 API Management Platform with the WSO2 Enterprise Service Bus (ESB), they gain a unique advantage. Teams can readily move integration logic between the gateway tier and the ESB tier. As traffic scales or integration flow logic becomes complex, teams can offload integration processing from the gateway tier to the ESB tier.

Teams use API analytics to optimize their digital business strategy and demonstrate API value. Analytics illustrates the business value of API subscribers, service tiers, monetization plans, and security policies. By separating API meta-data from API code, teams can query the API meta-data repository to identify popular APIs, consumers generating significant revenue, or heavily subscribed service tiers.

Enterprise governance helps teams securely and safely build, publish, and consume APIs. The WSO2 API Management Platform streamlines lifecycle management practices, validates developers who onboard via on-demand self-service channels, and rate limits or throttles traffic to enforce monetization strategies and ensure QoS.