The single API + developer community is a project to write a good API (which we assume to be the same as a single App, which might be high), and a single person to support the community full time at a loaded cost of $150K, which is enough to get started, and certainly to support the first 10 apps. It could be more depending, but that’s beyond the complexity of this conversation.
Make sure to introduce the idea of 2 perspectives – provider and consumer. The provider needs to make sure his trains can run, and that stray animals don’t get in the way. The consumers need to make sure their horses don’t break their legs on these strange tracks!
Version disruption (need mediation)SLA (is your provider delivering in a way that lets you meet your needs? If not, what can you do?)What if provider changes terms and puts you out of business? (small company acquired, or Twitter example; need GRC for developer best practices)What are other employees in the org doing? (are we using 2 different sets of weather data, for example? Are we paying twice for the same information? Are we building higher level libraries twice, differently?)Are we conforming to internal standards around data, security, performance?
Capabilities in 3 buckets:API PortalAPI providers set up a portal for their APIs to attract and on-board external app developers. It allows client app developers to search the APIs they need, read up on the documentation and get notifications on APIs they use.API GatewayAllows API managers to secure and mediate traffic between the API consumers and back-end servers. Also allows monitoring of API traffic to collect metrics for tasks such as performance dashboards and invoicing.API LifecycleAllows API developers to manage the entire process of designing, developing, deploying, versioning and retiring APIs. This is a critical piece for implementing a sustainable API strategy.
In addition to API capabilities, it is also important to consider the operational aspects of an API management solution.Obviously you need something that will scale elastically with the peaks and valleys of the demand. Mobility a huge driver for APIs and #1 reason why it is hard to predict demand.You also need your solution to support high availability. API’s are essentially a globally available resource and adoption of your API is dependent on a highly reliable operation.Another thing that sometimes get easily overlooked is the ease of ensuring smooth operations. How easy it is to do daily housekeeping tasks such as taking timely backups, cleaning up log files and even automating some of these tasks using scripts.Operational governance is another key aspect. Who has the rights to provision and de-provision APIs? What is the criteria for doing so? What is the process of changing authentication mechanism for APIs? What is the security model and what are the rights based on roles?Consider deployment options for API management – what combination of cloud, on-premise and hybrid – works for your organization – it is probably easiest to think in terms of API capabilities we discussed and where they can be deployment. For instance is the monitoring piece of your API gateway deployed on-premise or in the cloud. There’s no one right answer but your API management solution need to support a good mix of options.Finally also consider if it makes sense to have a separate solution for both internal and external APIs.
In this example client app developers perform full text search. The results are displayed in a Google type layout. They can narrow down searches using keywords. Developers can then select a group of APIs and perform actions such as, setting up a watch, marking them as their favorite, and/or requesting access.
Or another example where your API portal may provide app developers a selection of graphical widgets to track their personal KPIs. For instance, what API’s are most used by mobile applications or what kind of apps are other developers are building using a specific API or what are the most popular APIs.Next let’s look at some API gateway examples.
This example shows how an API Gateway may implementtraffic management policies. API managers can shape the incoming traffic to a granular level. They can apply throttling limit across a segment of API consumers or across all consumers. They can decide to shut down the API request when violations happen or simply issue a warning to the user and log notifications.
In this example of an API gateway, you see how it makes it easy to apply a combination of monitoring and security policies. API managers simply check all the policies from a list of pre-populated options that they need to apply consistently to API invocations.Ok a couple of more examples for API lifecycle management.
In this example of an API lifecycle there are four states that an API goes thro – proposed, approved, in production and retired. The example shows how it is possible to define transitions from one state to another, and what checks may be performed at the gate before the transition is completed. Again a great way for API developers to ensure that the APIs exposed meet the standards and the goals of the API strategy.
In this final example, this API lifecycle capability let’s you graphically analyze the impact of changes to the WarehouseInformation API. It shows that the Mobile CRM and Employee Portal applications are using the API. And it shows that this API is related to the Warehouse Inventory Process and uses the canonical definition of an employee.Now there are a number of reasons why organizations may implement APIs. Some organizations use APIs to unlock the business value of their unique data. Whereas others use APIs to better enable partners and increase their reach. Finally many are using APIs as the means to mobilize their enterprise applications. I have hand-picked a couple of our customers to illustrate how diverse business drivers to do APIs can be.
EPA’s data standards branch (DSB) has implemented Reusable Component Services or RCS which is an umbrella registry serving as a clearinghouse for all kinds of reusable components regardless of where they reside. Why? DSB has been repeatedly approached by Exchange Network partners and EPA programs for access to various services and reusable components to support their information management needs. RCS serves as the vehicle for this outreach and discovery. The services provide a one-stop place to discover components of many different types, hosted and/or managed by many different organizations. RCS that contains over a 1000 assets and federates data for a dozen different registries and sources. For developing new applications using environmental data RCS provisions API’s that are used by EPA programs, public mobile apps, web sites and data.gov. Developers can go to EPA’s site called Developer Central where they can search for the appropriate API. For instance
Envirofacts API is a centralized data warehouse which provides access to several EPA environmental databases. Envirofacts has developed a RESTful data service API to all of its internal data holdings.
Based on EPA’s data, EPA now has a collection of 100+ “Green Apps”. You can find apps by mobile platform and by topic, or suggest a new app. EPA hosted a developer challenge in summer of 2011 to encourage developers to create green apps.
This is one of the top 3 logistics company in the world. It believes that freight shipping should be just as easy as shipping documents around the world. This company hosts an API that is used by procurement and logistics officers to access over 140 services across different types of freight – sea, air, road and rail. Examples of such services include shipment tracking and border toll calculation. The company is now planning a self-service portal to expose the APIs to customers and partners who can use is to onboard applications and to collaborate. Under the covers the API is powered by virtualized services that are securely exposed to external consumers. A small group of experts manage the operational aspects of hosting the API including provisioning and deprovisioning of services. The system allows business owners of services to track consumption and usage of those APIs.
wM Gateway: Inspects the headers• For DoS checks (global or by consumer)• Does basic firewall checks• Message Size Limit Checks• OAuth2 app to service validation (in 9.0)Cross-Origin Resource Sharing (CORS) is a W3C spec that allows cross-domain communication from the browser.
API Management Demystified
API ManagementDemystified#APISoftwareAGDavid Bressler, Chief ArchitectManmohan Gupta, Director Product Marketing
March 2, 2013 | 2David BresslerChief Architect @djbressler
March 2, 2013 | 3Agenda• Why API’s and Why now?• What is API Management• Enterprise API Trifecta• Capabilities of API Management• API Management Infrastructure• Customer Case Studies
March 2, 2013 | 4Poll #1: Are you currently exposing APIs for developers or haveplans to do so? (Choose One. Tweet to explain your choice. Use#APISoftwareAG.)a) Yes, mostly internallyb) Yes, mostly externallyc) Yes, both internally and externallyd) No plans to do so
March 2, 2013 | 5 CapabilitiesExperience System
March 2, 2013 | 6 Experience CapabilitiesAPI API System
March 2, 2013 | 7 Experience You Don’t Have to Do It All Yourself Capabilities“Standards” API API1. REST2. JSON3. Industry Data System
March 2, 2013 | 11API’s Help Organizations Delegate Complexity - Mall of America Brand Manager
March 2, 2013 | 12 Cost of Ownership$600,000$500,000$400,000$300,000$200,000 Cost of Ownership$100,000 $- Single App Single API & 10 Apps Developer Community
March 2, 2013 | 13Review: API’s & Why Now?• Mobile / Tablets• Need to do more with less• Very connected world, have to reach the long tail• Digital natives expect to be able to “solve their own problems”
March 2, 2013 | 15ProgrammableWeb (Jan 2013 Survey)
March 2, 2013 | 16Providing API’s New Support Model Service Level Agreements Security Governance, Risk, & Compliance API Versioning
March 2, 2013 | 17ProgrammableWeb (Jan 2013 Survey)
March 2, 2013 | 18Consuming API’s Versioning Disruption Service Level Agreements Data Security Risk to Business Model (dependent on T&C of Provider) Governance, Risk, & Compliance
March 2, 2013 | 19Summary Delegating complexity provides leverage API’s are part of the cultural narrative 2 perspectives – Producer & Consumer Producers require a mechanism to deliver a new support model, as well as manage the lifecycle of the API Consumers require a way to manage risk to prevent disruption from provider technical or business term changes
March 2, 2013 | 20Poll #2: Do you agree with the way we have defined APImanagement? (Choose One. Tweet to explain your choice. Use#APISoftwareAG.)a) Yesb) Noc) Kind of agree (or I am still learning)
March 2, 2013 | 21Enterprise API Trifecta1. API Management2. Code Academies3. Hackathons & Coding Challenges http://bit.ly/APItrifecta
March 2, 2013 | 23API Management: Functional Capabilities • For App Developers • For API Managers • For API Developers • Discover APIs • Secure & mediate the • Manage the process of • Understand usage & traffic between APIs & design, development, d • Sign up for access its consumers eployment, versioning of APIs API Portal API Gateway API Lifecycle
March 2, 2013 | 24Poll #3: Which capabilities do you see as most critical for an APImanagement solution? (Multiple Choice. Tweet to explain yourchoice. Use #APISoftwareAG.)a) API portalb) API gatewayc) API design & lifecycle
March 2, 2013 | 25API Management: In Operation• Rapid Scalability• 24x7 Availability• Ease of smooth operations• Operational governance• Deployment options
March 2, 2013 | 26API Management: Value Delivered Build an API portal for API discovery & collaboration Host & mediate API’s securely Manage the process of planning, designing & developing APIs Understand API usage with analytics & reporting
March 2, 2013 | 27API Management: Infrastructure Client App Developers Cloud Discover APIs Client Apps API Portal Invoke APIs DMZ Optional Load API Gateway Balancer Edge Security API Managers and API Developers Enterprise API Metering & API Gateway Analytics CentraSite API Lifecycle Mediation API Lifecycle & Design Stratgey Publish APIs Invoke Backend Services Enterprise Service Bus
March 2, 2013 | 29API Portal: Usage Dashboard Example
March 2, 2013 | 30API Gateway: Traffic Management Example
March 2, 2013 | 31API Gateway: Runtime Monitoring Example
March 2, 2013 | 32API Lifecycle: Lifecycle States Example
March 2, 2013 | 33API Lifecycle Management: Dependencies Example
March 2, 2013 | 34 Partnership among States and EPA for exchange of environmental info.The mission of the EPA isto protect human health& the environment. APIs to deliver Environmental Data for the State Agencies and Developers
March 2, 2013 | 38Leading Global Logistics Corporation“Freight should be as simpleas shipping parcels” API to access 140+ procurement & logistics services for sea, air, road & rail freight 3/2/2013 38
March 2, 2013 | 39API Management in webMethods• Organizing & documenting APIs • DMZ-level security between • Lifecycle management of APIs & with custom taxonomies client apps and internal APIs metadata from inception/design all the way to deployment• Full-text search of APIs with • Extensive mapping & Google style search results transformation • Automatic provisioning of support, allowing API consumers policies based on a specific• Consumer onboarding with to have flexibility in criteria approval workflow protocols, message formats & transports • Graphic view of API• API Dashboards with a large dependencies & versions selection of widgets to track • OAuth2 based authentication & personal KPIs authorization.• Customizable information feeds • Single point to set up policies to for collaboration with other uniformly secure and monitor developers API access • API traffic management to shape the incoming traffic to a granular level.API Portal API Gateway API Lifecycle