SlideShare a Scribd company logo

The DNA of a great API

Download as PPTX, PDF
Ciprian Sorlea CSM-CSPO
Ciprian Sorlea CSM-CSPO

Find out what it takes to build API's that your target audience will love while also keeping it business focused.

Technology
1 of 75
The DNA of a GREAT API Ciprian Sorlea, CTO October 2015 Building API’s that developers will love
06.11.2015 2 What’s an API: Any API: • allows Software components, systems and subsystems to interact. • hides the complexity of the underlying architecture and functionality • focuses on separation of concerns • allows callers/consumers to access resources (ex. CRUD operations) or to perform various operations on top of the resources
06.11.2015 3 Qualities of a good API: A good API must be: • domain specific, simple and easy to use • consistent (naming, parameters, etc.) • stateless • transparent & clear in terms of error trapping • accessible (from different platforms, languages, etc.)
06.11.2015 4 From Good To Great: A great API must be: • well documented and should provide many working samples • fast, secure, scalable and reliable • forward and backwards compatible (versioning) • “self aware”: usage statistics, logs/traces
06.11.2015 5 From Good To Great: A great API must go the extra mile
06.11.2015 6 Who are the consumers? An API can be consumed by: - A web application - A desktop application - A mobile application - Another API - An integration test - A 3rd party integration - Internet Of Things - A home appliance, a wearable device, a smart gadget
06.11.2015 7 Now, let’s remember…. Who is your target audience? Developers
06.11.2015 8 A big question & challenge: How do we handle all these uses cases, while also making it easy for Developers?
06.11.2015 9 Things to consider: - Transport: how do we exchange data? - Resource models: what kind of data do we exchange? - API Architecture patterns: how do we design our API? - Error Handling: how do we handle errors & failure? - Testing: how do we make our API bullet proof? - Security: how do we protect our data (or ourselves)? - Manageability: how can we manage our API and support it operation-wise? - Evolution: how do we ensure our API is future-proof? - Adoption: how do we make sure our API will be adopted?
API Transport how do we exchange data?
06.11.2015 11 API Transport REST API: - Recommended for external integrations and applications, 3rd party apps and plugins - Use JSON & XML over HTTP(s) - Use established Security mechanisms (OAuth2, Basic Authentication, etc.)
06.11.2015 12 API Transport RPC / Binary Protocol: - Recommended for internal usage or high throughput requirements, IOT and devices with limited networking capabilities / bandwidth - Use Apache Thrift, Google Protobuff or alternatives - Use simplified authentication and authorization model to minimize overhead – assume working in safer environment
Note: For now, we’ll focus on REST API’s
API Resource Models what kind of data do we exchange?
06.11.2015 15 API Resource Models Resources are the heart and soul of the API Resources represent the abstraction of any information we exchange and operate on within an API Domain Model ~= Resource Model
06.11.2015 16 API Resource Models Resource classification: - Singleton – can be part of a collection or can be stand-alone - ServerInfo – Server Information can be exposed as a standalone singleton resource - User – User information can be exposed as a resource, part of a collection - Collection – a list of so called documents belonging to the same domain - Users - Products - Orders - Documents
06.11.2015 17 API Resource Models Minimal Resource Model Attributes: - URI: Unified Resource Identifier - represents the unique URL by which a resource can be accessed - HATEOAS takes this to the extreme level - Ex: http://api.domain.com/v1/serverInfo, http://api.domain.com/v1/users/1, http://api.domain.com/v1/projects/ - ID: - required when the resource is a singleton as part of a collection - a numeric ID (ex: 1029) or a GUID (ex. c366728d-ca93-4b23-a4b9-ae360600b86a) - can be the database specific primary key (ex. auto generated) or can use a custom field with random generated values, to enhance security
06.11.2015 18 API Resource Models Important consideration: - Ensure your resource models can be properly represented in any transport models (ex. JSON, XML) and without significant effort (Ex. Don’t try to use complicated bit level data in your models) - Follow the Open Close principle. This will make your resources future-proof - Ensure the API resource model doesn’t carry with it the DB optimizations and complexity
API Architecture Patterns (archetypes) how do we design our API?
06.11.2015 20 API Archetypes The de-facto API Archetypes: • Document – a singleton resource • Collection – a collection of resources • Repository (also known as Store) – a collection of immutable resources • Controller – an action dispatcher *** *** Should be avoided. Explanation later.
06.11.2015 21 API Archetypes Pseudo API Archetypes: • Queue – asynchronous processing of a long operation – can also be a batch operation or a transaction, but not limited to those • Should provide status and progress information • Ex: File processing, order processing, etc. • Transaction – multiple resource operations to be processed in a ALL-OR-NONE manner • The request fails if any of the operation fails. • Any simple action (see Controller) can be also seen/handled as a transaction • Batch – a sequence of resource operations to be processed in sequence • Any failure is reported to the consumer, but doesn’t stop the processing of the batch • Should provide status and progress information • Ex. Batch create, batch update, etc.
06.11.2015 22 API Archetypes: Document • Exposes functionality specific to a singleton resource. • Some standalone documents (ex. ServerInfo), can be read-only • Some collection-owned documents are mutable (can be updated, deleted, etc.) -> parent archetype is a Collection
06.11.2015 23 API Archetypes: Document – Partial Retrieval Partial retrieval allows consumer to limit the transferred information. This leads to better performance and improved customer experience. Limiting the fields: • Specify the fields to be included, as a query string parameter • Specify the fields to be ignored, as a query string parameter • Specify the fields to be expanded (sub-details), as a query string parameter • Specify a predefined view (predefined or custom definition of data retrieval model)
06.11.2015 24 API Archetypes: Document – Partial Retrieval Examples: http://api.domain.com/v1/users?fields=id,firstName,lastName,email,addresses(city) http://api.domain.com/v1/users?excludedFields=email http://api.domain.com/v1/users?view=minimalView http://api.domain.com/v1/users?expand=addresses,previousEmails
06.11.2015 25 API Archetypes: Document – Partial Update Allows consumers to update only those fields that need to be changed This provides faster and better user experience. Two ways: - Specifying the fields to be changed with the new value (partial documents) - Using operation maps
06.11.2015 26 API Archetypes: Document – Partial Update Using partial documents: PATCH /v1/users/1029 HTTP/1.1 Content-Type: application/json X-API-PUBLIC-KEY: D6DB835A-35B1-42B3-8805-8F00F5344BB9 X-API-REQUEST-ID: 5BF75F7E-0A55-40DF-9E79-354B9B162971 { “emailAddress”: ciprian.sorlea@nordlogic.com, “companyName”: “NordLogic” “phoneNumbers” : [“+4074ILOVEAPIS”] }
06.11.2015 27 API Archetypes: Document – Partial Update Advantages of using partial documents: - Request very clean and minimal - Requires very little extra effort to implement Disadvantages: - Hard to add items to lists / arrays, remove values from maps, etc.
06.11.2015 28 API Archetypes: Document – Partial Update Using operation maps: PATCH /v1/users/1029 HTTP/1.1 Content-Type: application/json X-API-PUBLIC-KEY: D6DB835A-35B1-42B3-8805-8F00F5344BB9 X-API-REQUEST-ID: 5BF75F7E-0A55-40DF-9E79-354B9B162971 { “emailAddress”: { “set”: “Ciprian.Sorlea@nordlogic.com”}, “companyName”: { “set” : “NordLogic”}, “phoneNumbers” : { “add” : [“+4074ILOVEAPIS”] } }
06.11.2015 29 API Archetypes: Document – Partial Update Advantages of using operation maps : - More powerful control over what operations are made - Doesn’t require pre-fetching of documents prior to update to get the actual map/list content Disadvantages: - Requests tend to be more verbose, even though just slightly - More effort is needed to implement support for this approach (usually)
06.11.2015 30 API Archetypes: Document – Partial Update PRO TIP: You can implement Partial Update with either approach, or you can combine them and allow patching in either way.
06.11.2015 31 API Archetypes: Document – Partial Retrieval PRO TIP: Combining Partial Update with Partial Retrieval, APIs can offer extreme flexibility for a wide variety of consumers & devices.
06.11.2015 32 API Archetypes: Document – Partial Retrieval PRO TIP: You can implement transactions for updating fields that require additional details on change: Ex. Change status + comment
06.11.2015 33 Document Archetype: URI & HTTP Verbs • Base URI: http://api.domain.com/{version}/{documentID} or http://api.domain.com/{version}/{collection}/{documentID} HTTP Verb Description GET Retrieves the document (complete or partial) PUT Updates a document with the content provided. Only for Collections. PATCH Updates a document fields specified in the content, or applying the specific update operations. Only for Collections. DELETE Deletes the document from the location HEAD Verifies if the given document id exists. OPTIONS Lists the available operations / HTTP Verbs
06.11.2015 34 API Archetypes: Collection Collections provide access to multiple document resources Operations are usually CRUD Collection capabilities: - Pagination - Filtering: using simple filtering or a query language) - Sorting: simple (based on single field) or complex (based on multiple fields) - Partial field retrieval: identical to document level partial field retrieval
06.11.2015 35 API Archetypes: Collection Query String Query String parameters are used to configure collection functionality (ex: sorting, filtering, etc.) Rules & recommendations: - Use same QS parameter names across your entire API, and document them - Ensure you don’t introduce un-necessary constraints by choosing improper names - As long as you don’t confuse your consumers, you can allow aliases for some parameters Ex: - Page & PageSize work for a basic pagination but not for continuous scrolling – improper naming - Start & limit work for any data pagination scenario - Offset/From and count can be aliases to start & limit
06.11.2015 36 API Archetypes: Collection Query String Pagination Ex: http://api.domain.com/v1/users?from=100&count=10 http://api.domain.com/v1/users?count=10 (uses a default offset/start)
06.11.2015 37 API Archetypes: Collection Query String Sorting - can be simple (single field + direction) or complex (list of fields, with specific sort orders) - can be applied on 1st level fields or on details (expanded content) Ex: http://api.domain.com/v1/users?sortBy=email,sortOrder=DESC http://api.domain.com/v1/users?orderBy=name:ASC,email:DESC,contactInfo.phone
06.11.2015 38 API Archetypes: Collection Query String Filtering: - Simple filters (all filters are of type EQUALS): http://api.domain.com/v1/users?email=Ciprian.Sorlea@nordlogic.com http://api.domain.com/v1/users?companyName=Nordlogic&role=developer - Advanced filters (specify the operation: EQ, NE, GT, LTE, etc.) http://api.domain.com/v1/users?companyName=LIKE:*logic&role=NE:qa - Query (use a pseudo query language): http://api.domain.com/v1/users?query=companyName like ‘*logic’ and role not eq ‘QA’ http://api.domain.com/v1/users?query=name eq ‘John’ or name eq ‘Bill’
06.11.2015 39 Collection Archetype: URI & HTTP Verbs • Base URI: http://api.domain.com/{version}/{collection}/ HTTP Verb Description GET / Retrieves a list of paged, filtered and sorted documents, complete or partial GET /{docID} Retrieves the document (complete or partial) POST / Creates a new document in the collection HEAD Can be used to check if data exists given the provided filters and paging DELETE Purges the collection. Recommended for Development only. OPTIONS Lists the available operations / HTTP Verbs
06.11.2015 40 Collection Archetype: Response Few tips: - Always echo the pagination details (ex. offset & count), to provide context - Give more details about the rest of the data (is there more?). Ex: maxRows - Don’t include empty/null fields and ensure (through documentation) your consumers handle that. (This applies to single documents as well)
06.11.2015 41 API Archetypes: Repository Repositories provide access to multiple immutable document resources Operations are usually CRD (Create, Retrieve, Delete) Updates to documents within Repositories MIGHT happen behind the API level Nice to have capabilities: - Capped repositories: limit data to most recent X records - Auto Expiration: automatically delete data older than X days/hours/minutes - Tailing options: retrieve latest X records
06.11.2015 42 Repository Archetype: URI & HTTP Verbs • Base URI: http://api.domain.com/{version}/{repository}/ HTTP Verb Description GET / Retrieves a list of documents with limited capabilities (ex. Tailing over the records in an audit/trace log). Nov very common. GET /{docID} Retrieves the document (complete or partial). POST Creates a new document in the repository HEAD When GET is also implemented, this can be used to check if data exists. DELETE Purges the repository. Recommended for Development only. OPTIONS Lists the available operations / HTTP Verbs
06.11.2015 43 API Archetypes: Controller Allows execution of application specific actions that cannot be mapped with any of the CRUD methods (specific to collections or repositories). Should be avoided as much as possible. Actions should be reconsidered as one of the proposed pseudo-archetypes: batch, queue, transaction. This would allow execution to be more manageable and traceable.
06.11.2015 44 Controller Archetype: URI & HTTP Verbs • Base URI: http://api.domain.com/{version}/{param1}/{param2}/{controllerAction} HTTP Verb Description POST Executes the specific action, with the given parameters
06.11.2015 45 API Archetypes: Queue Allows execution of application specific actions (jobs) in an asynchronous way, while allowing proper management and traceability of the action. Each action, once queued, has an identifier and a status. Therefore each action becomes a Resource. Upon completion, the job document can embed the job result or can provide a link to the actual result.
06.11.2015 46 Queue Archetype: URI & HTTP Verbs • Base URI: http://api.domain.com/{version}/{queue}/ HTTP Verb Description GET /{id} Retrieves the queued job status, progress information and execution result – if available. POST Submits a new job into the queue and retrieves the job identifier. DELETE /{id} Cancels a job (if the status allow the operation to be canceled) OPTIONS Lists the available operations / HTTP Verbs
06.11.2015 47 API Archetypes: Transaction Allows execution of application specific actions in transactional manner. Transactions can be asynchronous (see queues) or asynchronous. In case of synchronous transactions, response contains the transaction result.
06.11.2015 48 Transaction Archetype: URI & HTTP Verbs • Base URI: http://api.domain.com/{version}/{queue}/ HTTP Verb Description GET /{id} Retrieves the transaction status, progress information and execution result – if available. POST Submits a new transaction to be processed. DELETE /{id} Stops/cancels a transaction (in case of asynchronous/queued transactions) OPTIONS Lists the available operations / HTTP Verbs
06.11.2015 49 API Archetypes: Batch Allows execution of application specific actions over multiple records / bulk processing. Batches must always be asynchronous, and the behavior is identical to Queues. Progress information is mandatory in case of batches.
06.11.2015 50 Batch Archetype: URI & HTTP Verbs • Base URI: http://api.domain.com/{version}/{batch}/ HTTP Verb Description GET /{id} Retrieves the status, progress information and execution result – if available. POST Submits a new batch job to be processed. DELETE /{id} Stops/cancels a batch job OPTIONS Lists the available operations / HTTP Verbs
06.11.2015 51 Pseudo Archetypes PRO TIP: You can combine Queues with Transactions and Batches in any way you want. Just make sure things make sense 
06.11.2015 52 Pseudo Archetypes PRO TIP: Sometimes you might want to have, for each Pseudo Archetype, a validation equivalent. Helps your applications/integrations cause less frustrations.
Error Handling how do we handle errors & failure?
06.11.2015 54 API Error Handling Use specific HTTP Error Codes where appropriate for application logic specific errors. Ex: - 401 Unauthorized: errors with authentication / authorization - 404 Not Found: document does not exist - ….
06.11.2015 55 API Error Handling Response body should always contain: - Error code – what happened, coded for analytics - Error message – human readable message, localized to user’s profile - Error details – the context on the error. Nice to have: - Error ID – id of the error, generated by the lowest level module where the error occurred. Should also propagate and find itself in the log files. - Flow ID – if possible, for cross-app tracking
06.11.2015 56 Pseudo Archetypes PRO TIP: Certain operations can generate multiple errors (ex. multiple validation errors). If applicable, provide a list of errors in the response instead of providing just the first error encountered.
06.11.2015 57 Pseudo Archetypes PRO TIP: Don’t provide too much details in the error messages. Consider privacy and security before anything else.
Testing how do we make our API bullet proof?
06.11.2015 59 API Testing Option 1: - Develop API Client along the actual API Service - Build Automated tests using the API Client, using the same programing language
06.11.2015 60 API Testing Option 2: - Build Automated tests using a dedicated API Testing framework • http://frisbyjs.com/ • https://github.com/mkotsur/restito • https://github.com/rest-driver/rest-driver • https://github.com/dareid/chakram
06.11.2015 61 API Testing Option 3: - Use dedicated 3rd Party apps or Browser Plugins • https://www.getpostman.com/ • http://www.soapui.org/rest-testing/getting-started.html
Security how do we protect our data (or ourselves)?
06.11.2015 63 Securing Rest API Simple rules: - Use disposable authentication tokens - Implement authentication mechanisms good for your target audience Ex: OAuth2 works very well for web and mobile, but does it work for enterprise? - Use granular roles & access rights for each resource model - Take the multi-tenancy into account from start - Use & require HTTPS whenever sensitive data is in transit - Encrypt any sensitive data at rest
06.11.2015 64 Securing Rest API Preventive & Enterprise Ready Security: - Audit any failed authentication / authorization - When using sessions, ensure the expiration time can be configured - Lock/disable authentication tokens after a configurable number of failed authentication attempts - Use a whitelist / blacklist for request filtering - Implement overall rate limits as well as application / token specific limits - Validate any data coming IN. Never take things for granted.
06.11.2015 65 Securing Rest API Preventive & Enterprise Ready Security: - Require (configurable) password strength - Use password expiration - Log Remote IP, User-Agent (and Application ID, if possible) with any request - Pass authentication tokens in the request headers, not in URL/Query String - Filter unaccepted query string parameters from URL’s - Escape/strip any textual information accepting user input
06.11.2015 66 Pseudo Archetypes PRO TIP: NEVER, EVER, EVER, EVER TRUST YOUR USERS.
Manageability how can we manage our API and support it operation- wise?
06.11.2015 68 Managing Rest API & Supporting Operations Simple rules: - Log everything, almost everything. - Implement usage analytics and metrics - Time any operation, build performance metrics and alerts - Build operational dashboards, enable error notifications - Use change logs & audit trails for sensitive data - Require “4 eyes check” rule on any major change performed by admins - Use infrastructure as code
Evolution how do we ensure our API is future-proof?
06.11.2015 70 Future proof your API Simple rules: - Version your resource models and archetypes from the beginning - Any new version of the resource model should extend the previous versions - Establish a support plan from first public release - Classify your API’s as public, private & unsupported to ensure phased adoption
Adoption how do we make sure our API will be adopted?
06.11.2015 72 Ensuring APIs adoption - Make it easy to get started - developers should be 1 CURL request away from their first API call. - Provide good and clear documentation. - Provide SDK’s / client libraries and samples for most popular development platforms and languages of your target audience.
06.11.2015 73 Ensuring APIs adoption - Ensure your business logic & rules don’t have to be guessed and duplicated by developers in their own apps (ex. validation rules). - Eat your own dog food. Use your API to build your other products / integrations. - Don’t introduce breaking changes. Plan to support your public API releases.
06.11.2015 74 Ensuring APIs adoption PRO TIP: Deliver VALUE, not just JSON or XML.
Thanks for watching. 

Recommended

API Strategy Presentation
API Strategy PresentationAPI Strategy Presentation
API Strategy PresentationLawrence Coburn
 
API strategy with IBM API connect
API strategy with IBM API connectAPI strategy with IBM API connect
API strategy with IBM API connectKellton Tech Solutions Ltd
 
API Management in Digital Transformation
API Management in Digital TransformationAPI Management in Digital Transformation
API Management in Digital TransformationAditya Thatte
 
The never-ending REST API design debate
The never-ending REST API design debateThe never-ending REST API design debate
The never-ending REST API design debateRestlet
 
API Strategy Introduction
API Strategy IntroductionAPI Strategy Introduction
API Strategy IntroductionDoug Gregory
 
INTERFACE by apidays 2023 - Everything you need to know about API security, T...
INTERFACE by apidays 2023 - Everything you need to know about API security, T...INTERFACE by apidays 2023 - Everything you need to know about API security, T...
INTERFACE by apidays 2023 - Everything you need to know about API security, T...apidays
 
API Management architect presentation
API Management architect presentationAPI Management architect presentation
API Management architect presentationsflynn073
 
14. modul ta dts2021 model ann 14 juli 2021-v2
14. modul ta dts2021 model ann 14 juli 2021-v214. modul ta dts2021 model ann 14 juli 2021-v2
14. modul ta dts2021 model ann 14 juli 2021-v2ArdianDwiPraba
 

Recommended

API Strategy Presentation
API Strategy PresentationAPI Strategy Presentation
API Strategy PresentationLawrence Coburn
 
API strategy with IBM API connect
API strategy with IBM API connectAPI strategy with IBM API connect
API strategy with IBM API connectKellton Tech Solutions Ltd
 
API Management in Digital Transformation
API Management in Digital TransformationAPI Management in Digital Transformation
API Management in Digital TransformationAditya Thatte
 
The never-ending REST API design debate
The never-ending REST API design debateThe never-ending REST API design debate
The never-ending REST API design debateRestlet
 
API Strategy Introduction
API Strategy IntroductionAPI Strategy Introduction
API Strategy IntroductionDoug Gregory
 
INTERFACE by apidays 2023 - Everything you need to know about API security, T...
INTERFACE by apidays 2023 - Everything you need to know about API security, T...INTERFACE by apidays 2023 - Everything you need to know about API security, T...
INTERFACE by apidays 2023 - Everything you need to know about API security, T...apidays
 
API Management architect presentation
API Management architect presentationAPI Management architect presentation
API Management architect presentationsflynn073
 
14. modul ta dts2021 model ann 14 juli 2021-v2
14. modul ta dts2021 model ann 14 juli 2021-v214. modul ta dts2021 model ann 14 juli 2021-v2
14. modul ta dts2021 model ann 14 juli 2021-v2ArdianDwiPraba
 
API Governance
API Governance API Governance
API Governance Sunil Kuchipudi
 
BT – Data Analytics
BT – Data AnalyticsBT – Data Analytics
BT – Data AnalyticsThomas Lopez Anguiano
 
API Monetization
API MonetizationAPI Monetization
API MonetizationCapgemini
 
API Design- Best Practices
API Design- Best PracticesAPI Design- Best Practices
API Design- Best PracticesPrakash Bhandari
 
APIdays London 2019 - Selecting the best API Governance for your organisation...
APIdays London 2019 - Selecting the best API Governance for your organisation...APIdays London 2019 - Selecting the best API Governance for your organisation...
APIdays London 2019 - Selecting the best API Governance for your organisation...apidays
 
Api types
Api typesApi types
Api typesSarah Maddox
 
APIs for biz dev 2.0 - Which business model?
APIs for biz dev 2.0 - Which business model?APIs for biz dev 2.0 - Which business model?
APIs for biz dev 2.0 - Which business model?3scale
 
Effective API Governance: Lessons Learnt
Effective API Governance: Lessons LearntEffective API Governance: Lessons Learnt
Effective API Governance: Lessons LearntPronovix
 
Three layer API Design Architecture
Three layer API Design ArchitectureThree layer API Design Architecture
Three layer API Design ArchitectureHarish Kumar
 
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge Workshop
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge WorkshopI Love APIs 2015: Crash Course Foundational Topics in Apigee Edge Workshop
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge WorkshopApigee | Google Cloud
 
Architecting an Enterprise API Management Strategy
Architecting an Enterprise API Management StrategyArchitecting an Enterprise API Management Strategy
Architecting an Enterprise API Management StrategyWSO2
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
Introduction to Big Data
Introduction to Big DataIntroduction to Big Data
Introduction to Big DataVipin Batra
 
The 7 deadly sins of a product team
The 7 deadly sins of a product teamThe 7 deadly sins of a product team
The 7 deadly sins of a product teamCiprian Sorlea CSM-CSPO
 
Managing api development
Managing api developmentManaging api development
Managing api developmentCiprian Sorlea CSM-CSPO
 
First steps towards agility
First steps towards agilityFirst steps towards agility
First steps towards agilityCiprian Sorlea CSM-CSPO
 
About change & adaptation, and why after 20 years it's just the beginning
About change & adaptation, and why after 20 years it's just the beginningAbout change & adaptation, and why after 20 years it's just the beginning
About change & adaptation, and why after 20 years it's just the beginningCiprian Sorlea CSM-CSPO
 
Software Product Engineering Life-cycle
Software Product Engineering Life-cycleSoftware Product Engineering Life-cycle
Software Product Engineering Life-cycleDotitude
 
APIs in the Enterprise -Lessons Learned
APIs in the Enterprise -Lessons LearnedAPIs in the Enterprise -Lessons Learned
APIs in the Enterprise -Lessons LearnedApigee | Google Cloud
 
API Maturity Model (Webcast with Accenture)
API Maturity Model (Webcast with Accenture)API Maturity Model (Webcast with Accenture)
API Maturity Model (Webcast with Accenture)Apigee | Google Cloud
 
API Frenzy: API Strategy 101
API Frenzy: API Strategy 101API Frenzy: API Strategy 101
API Frenzy: API Strategy 101Akana
 
Software Product Life Cycle
Software Product Life CycleSoftware Product Life Cycle
Software Product Life CycleMahesh Panchal
 

More Related Content

What's hot

API Monetization
API MonetizationAPI Monetization
API MonetizationCapgemini
 
APIdays London 2019 - Selecting the best API Governance for your organisation...
APIdays London 2019 - Selecting the best API Governance for your organisation...APIdays London 2019 - Selecting the best API Governance for your organisation...
APIdays London 2019 - Selecting the best API Governance for your organisation...apidays
 
APIs for biz dev 2.0 - Which business model?
APIs for biz dev 2.0 - Which business model?APIs for biz dev 2.0 - Which business model?
APIs for biz dev 2.0 - Which business model?3scale
 
Effective API Governance: Lessons Learnt
Effective API Governance: Lessons LearntEffective API Governance: Lessons Learnt
Effective API Governance: Lessons LearntPronovix
 
Three layer API Design Architecture
Three layer API Design ArchitectureThree layer API Design Architecture
Three layer API Design ArchitectureHarish Kumar
 
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge Workshop
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge WorkshopI Love APIs 2015: Crash Course Foundational Topics in Apigee Edge Workshop
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge WorkshopApigee | Google Cloud
 
Architecting an Enterprise API Management Strategy
Architecting an Enterprise API Management StrategyArchitecting an Enterprise API Management Strategy
Architecting an Enterprise API Management StrategyWSO2
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
Introduction to Big Data
Introduction to Big DataIntroduction to Big Data
Introduction to Big DataVipin Batra
 

What's hot (13)

API Governance
API Governance API Governance
API Governance
 
BT – Data Analytics
BT – Data AnalyticsBT – Data Analytics
BT – Data Analytics
 
API Monetization
API MonetizationAPI Monetization
API Monetization
 
API Design- Best Practices
API Design- Best PracticesAPI Design- Best Practices
API Design- Best Practices
 
APIdays London 2019 - Selecting the best API Governance for your organisation...
APIdays London 2019 - Selecting the best API Governance for your organisation...APIdays London 2019 - Selecting the best API Governance for your organisation...
APIdays London 2019 - Selecting the best API Governance for your organisation...
 
Api types
Api typesApi types
Api types
 
APIs for biz dev 2.0 - Which business model?
APIs for biz dev 2.0 - Which business model?APIs for biz dev 2.0 - Which business model?
APIs for biz dev 2.0 - Which business model?
 
Effective API Governance: Lessons Learnt
Effective API Governance: Lessons LearntEffective API Governance: Lessons Learnt
Effective API Governance: Lessons Learnt
 
Three layer API Design Architecture
Three layer API Design ArchitectureThree layer API Design Architecture
Three layer API Design Architecture
 
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge Workshop
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge WorkshopI Love APIs 2015: Crash Course Foundational Topics in Apigee Edge Workshop
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge Workshop
 
Architecting an Enterprise API Management Strategy
Architecting an Enterprise API Management StrategyArchitecting an Enterprise API Management Strategy
Architecting an Enterprise API Management Strategy
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
Introduction to Big Data
Introduction to Big DataIntroduction to Big Data
Introduction to Big Data
 

Viewers also liked

About change & adaptation, and why after 20 years it's just the beginning
About change & adaptation, and why after 20 years it's just the beginningAbout change & adaptation, and why after 20 years it's just the beginning
About change & adaptation, and why after 20 years it's just the beginningCiprian Sorlea CSM-CSPO
 
Software Product Engineering Life-cycle
Software Product Engineering Life-cycleSoftware Product Engineering Life-cycle
Software Product Engineering Life-cycleDotitude
 
APIs in the Enterprise -Lessons Learned
APIs in the Enterprise -Lessons LearnedAPIs in the Enterprise -Lessons Learned
APIs in the Enterprise -Lessons LearnedApigee | Google Cloud
 
API Maturity Model (Webcast with Accenture)
API Maturity Model (Webcast with Accenture)API Maturity Model (Webcast with Accenture)
API Maturity Model (Webcast with Accenture)Apigee | Google Cloud
 
API Frenzy: API Strategy 101
API Frenzy: API Strategy 101API Frenzy: API Strategy 101
API Frenzy: API Strategy 101Akana
 
Software Product Life Cycle
Software Product Life CycleSoftware Product Life Cycle
Software Product Life CycleMahesh Panchal
 
API Business Models
API Business ModelsAPI Business Models
API Business ModelsJohn Musser
 

Viewers also liked (10)

The 7 deadly sins of a product team
The 7 deadly sins of a product teamThe 7 deadly sins of a product team
The 7 deadly sins of a product team
 
Managing api development
Managing api developmentManaging api development
Managing api development
 
First steps towards agility
First steps towards agilityFirst steps towards agility
First steps towards agility
 
About change & adaptation, and why after 20 years it's just the beginning
About change & adaptation, and why after 20 years it's just the beginningAbout change & adaptation, and why after 20 years it's just the beginning
About change & adaptation, and why after 20 years it's just the beginning
 
Software Product Engineering Life-cycle
Software Product Engineering Life-cycleSoftware Product Engineering Life-cycle
Software Product Engineering Life-cycle
 
APIs in the Enterprise -Lessons Learned
APIs in the Enterprise -Lessons LearnedAPIs in the Enterprise -Lessons Learned
APIs in the Enterprise -Lessons Learned
 
API Maturity Model (Webcast with Accenture)
API Maturity Model (Webcast with Accenture)API Maturity Model (Webcast with Accenture)
API Maturity Model (Webcast with Accenture)
 
API Frenzy: API Strategy 101
API Frenzy: API Strategy 101API Frenzy: API Strategy 101
API Frenzy: API Strategy 101
 
Software Product Life Cycle
Software Product Life CycleSoftware Product Life Cycle
Software Product Life Cycle
 
API Business Models
API Business ModelsAPI Business Models
API Business Models
 

Similar to The DNA of a great API

Hia 1691-using iib-to_support_api_economy
Hia 1691-using iib-to_support_api_economyHia 1691-using iib-to_support_api_economy
Hia 1691-using iib-to_support_api_economyAndrew Coleman
 
apidays LIVE Hong Kong 2021 - Multi-Protocol APIs at Scale in Adidas by Jesus...
apidays LIVE Hong Kong 2021 - Multi-Protocol APIs at Scale in Adidas by Jesus...apidays LIVE Hong Kong 2021 - Multi-Protocol APIs at Scale in Adidas by Jesus...
apidays LIVE Hong Kong 2021 - Multi-Protocol APIs at Scale in Adidas by Jesus...apidays
 
Extend soa with api management Sangam18
Extend soa with api management Sangam18Extend soa with api management Sangam18
Extend soa with api management Sangam18Vinay Kumar
 
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restore
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & RestoreLadies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restore
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restoregemziebeth
 
IBM Integration Bus and REST APIs - Sanjay Nagchowdhury
IBM Integration Bus and REST APIs - Sanjay NagchowdhuryIBM Integration Bus and REST APIs - Sanjay Nagchowdhury
IBM Integration Bus and REST APIs - Sanjay NagchowdhuryKaren Broughton-Mabbitt
 
Extend soa with api management spoug- Madrid
Extend soa with api management spoug- MadridExtend soa with api management spoug- Madrid
Extend soa with api management spoug- MadridVinay Kumar
 
Extend soa with api management Doag18
Extend soa with api management Doag18Extend soa with api management Doag18
Extend soa with api management Doag18Vinay Kumar
 
SnapLogic- iPaaS (Elastic Integration Cloud and Data Integration)
SnapLogic- iPaaS (Elastic Integration Cloud and Data Integration) SnapLogic- iPaaS (Elastic Integration Cloud and Data Integration)
SnapLogic- iPaaS (Elastic Integration Cloud and Data Integration) Surendar S
 
MuleSoft Surat Virtual Meetup#21 - MuleSoft API and RAML Design Best Practice...
MuleSoft Surat Virtual Meetup#21 - MuleSoft API and RAML Design Best Practice...MuleSoft Surat Virtual Meetup#21 - MuleSoft API and RAML Design Best Practice...
MuleSoft Surat Virtual Meetup#21 - MuleSoft API and RAML Design Best Practice...Jitendra Bafna
 
Rkd Api Overview
Rkd Api OverviewRkd Api Overview
Rkd Api Overviewdquack
 
API and Big Data Solution Patterns
API and Big Data Solution Patterns API and Big Data Solution Patterns
API and Big Data Solution Patterns WSO2
 
Cloud Side: REST APIs - Best practices
Cloud Side: REST APIs - Best practicesCloud Side: REST APIs - Best practices
Cloud Side: REST APIs - Best practicesNicolas FOATA
 
Mule soft meetup_4_mty_online_oct_2020
Mule soft meetup_4_mty_online_oct_2020Mule soft meetup_4_mty_online_oct_2020
Mule soft meetup_4_mty_online_oct_2020Veyra Celina
 

Similar to The DNA of a great API (20)

Hia 1691-using iib-to_support_api_economy
Hia 1691-using iib-to_support_api_economyHia 1691-using iib-to_support_api_economy
Hia 1691-using iib-to_support_api_economy
 
apidays LIVE Hong Kong 2021 - Multi-Protocol APIs at Scale in Adidas by Jesus...
apidays LIVE Hong Kong 2021 - Multi-Protocol APIs at Scale in Adidas by Jesus...apidays LIVE Hong Kong 2021 - Multi-Protocol APIs at Scale in Adidas by Jesus...
apidays LIVE Hong Kong 2021 - Multi-Protocol APIs at Scale in Adidas by Jesus...
 
Extend soa with api management Sangam18
Extend soa with api management Sangam18Extend soa with api management Sangam18
Extend soa with api management Sangam18
 
APITalkMeetupSharable
APITalkMeetupSharableAPITalkMeetupSharable
APITalkMeetupSharable
 
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restore
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & RestoreLadies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restore
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restore
 
IBM Integration Bus and REST APIs - Sanjay Nagchowdhury
IBM Integration Bus and REST APIs - Sanjay NagchowdhuryIBM Integration Bus and REST APIs - Sanjay Nagchowdhury
IBM Integration Bus and REST APIs - Sanjay Nagchowdhury
 
Extend soa with api management spoug- Madrid
Extend soa with api management spoug- MadridExtend soa with api management spoug- Madrid
Extend soa with api management spoug- Madrid
 
Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655
Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655
Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655
 
Day 1 axway apim-training
Day 1 axway apim-trainingDay 1 axway apim-training
Day 1 axway apim-training
 
Extend soa with api management Doag18
Extend soa with api management Doag18Extend soa with api management Doag18
Extend soa with api management Doag18
 
SnapLogic- iPaaS (Elastic Integration Cloud and Data Integration)
SnapLogic- iPaaS (Elastic Integration Cloud and Data Integration) SnapLogic- iPaaS (Elastic Integration Cloud and Data Integration)
SnapLogic- iPaaS (Elastic Integration Cloud and Data Integration)
 
Open Banking & Open Insurance
Open Banking & Open InsuranceOpen Banking & Open Insurance
Open Banking & Open Insurance
 
M meijer api management - tech-days 2015
M meijer api management - tech-days 2015M meijer api management - tech-days 2015
M meijer api management - tech-days 2015
 
Api design part 1
Api design part 1Api design part 1
Api design part 1
 
MuleSoft Surat Virtual Meetup#21 - MuleSoft API and RAML Design Best Practice...
MuleSoft Surat Virtual Meetup#21 - MuleSoft API and RAML Design Best Practice...MuleSoft Surat Virtual Meetup#21 - MuleSoft API and RAML Design Best Practice...
MuleSoft Surat Virtual Meetup#21 - MuleSoft API and RAML Design Best Practice...
 
REST != WebAPI
REST != WebAPIREST != WebAPI
REST != WebAPI
 
Rkd Api Overview
Rkd Api OverviewRkd Api Overview
Rkd Api Overview
 
API and Big Data Solution Patterns
API and Big Data Solution Patterns API and Big Data Solution Patterns
API and Big Data Solution Patterns
 
Cloud Side: REST APIs - Best practices
Cloud Side: REST APIs - Best practicesCloud Side: REST APIs - Best practices
Cloud Side: REST APIs - Best practices
 
Mule soft meetup_4_mty_online_oct_2020
Mule soft meetup_4_mty_online_oct_2020Mule soft meetup_4_mty_online_oct_2020
Mule soft meetup_4_mty_online_oct_2020
 

Recently uploaded

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 

Recently uploaded (20)

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 

The DNA of a great API

  • 1. The DNA of a GREAT API Ciprian Sorlea, CTO October 2015 Building API’s that developers will love
  • 2. 06.11.2015 2 What’s an API: Any API: • allows Software components, systems and subsystems to interact. • hides the complexity of the underlying architecture and functionality • focuses on separation of concerns • allows callers/consumers to access resources (ex. CRUD operations) or to perform various operations on top of the resources
  • 3. 06.11.2015 3 Qualities of a good API: A good API must be: • domain specific, simple and easy to use • consistent (naming, parameters, etc.) • stateless • transparent & clear in terms of error trapping • accessible (from different platforms, languages, etc.)
  • 4. 06.11.2015 4 From Good To Great: A great API must be: • well documented and should provide many working samples • fast, secure, scalable and reliable • forward and backwards compatible (versioning) • “self aware”: usage statistics, logs/traces
  • 5. 06.11.2015 5 From Good To Great: A great API must go the extra mile
  • 6. 06.11.2015 6 Who are the consumers? An API can be consumed by: - A web application - A desktop application - A mobile application - Another API - An integration test - A 3rd party integration - Internet Of Things - A home appliance, a wearable device, a smart gadget
  • 7. 06.11.2015 7 Now, let’s remember…. Who is your target audience? Developers
  • 8. 06.11.2015 8 A big question & challenge: How do we handle all these uses cases, while also making it easy for Developers?
  • 9. 06.11.2015 9 Things to consider: - Transport: how do we exchange data? - Resource models: what kind of data do we exchange? - API Architecture patterns: how do we design our API? - Error Handling: how do we handle errors & failure? - Testing: how do we make our API bullet proof? - Security: how do we protect our data (or ourselves)? - Manageability: how can we manage our API and support it operation-wise? - Evolution: how do we ensure our API is future-proof? - Adoption: how do we make sure our API will be adopted?
  • 10. API Transport how do we exchange data?
  • 11. 06.11.2015 11 API Transport REST API: - Recommended for external integrations and applications, 3rd party apps and plugins - Use JSON & XML over HTTP(s) - Use established Security mechanisms (OAuth2, Basic Authentication, etc.)
  • 12. 06.11.2015 12 API Transport RPC / Binary Protocol: - Recommended for internal usage or high throughput requirements, IOT and devices with limited networking capabilities / bandwidth - Use Apache Thrift, Google Protobuff or alternatives - Use simplified authentication and authorization model to minimize overhead – assume working in safer environment
  • 13. Note: For now, we’ll focus on REST API’s
  • 14. API Resource Models what kind of data do we exchange?
  • 15. 06.11.2015 15 API Resource Models Resources are the heart and soul of the API Resources represent the abstraction of any information we exchange and operate on within an API Domain Model ~= Resource Model
  • 16. 06.11.2015 16 API Resource Models Resource classification: - Singleton – can be part of a collection or can be stand-alone - ServerInfo – Server Information can be exposed as a standalone singleton resource - User – User information can be exposed as a resource, part of a collection - Collection – a list of so called documents belonging to the same domain - Users - Products - Orders - Documents
  • 17. 06.11.2015 17 API Resource Models Minimal Resource Model Attributes: - URI: Unified Resource Identifier - represents the unique URL by which a resource can be accessed - HATEOAS takes this to the extreme level - Ex: http://api.domain.com/v1/serverInfo, http://api.domain.com/v1/users/1, http://api.domain.com/v1/projects/ - ID: - required when the resource is a singleton as part of a collection - a numeric ID (ex: 1029) or a GUID (ex. c366728d-ca93-4b23-a4b9-ae360600b86a) - can be the database specific primary key (ex. auto generated) or can use a custom field with random generated values, to enhance security
  • 18. 06.11.2015 18 API Resource Models Important consideration: - Ensure your resource models can be properly represented in any transport models (ex. JSON, XML) and without significant effort (Ex. Don’t try to use complicated bit level data in your models) - Follow the Open Close principle. This will make your resources future-proof - Ensure the API resource model doesn’t carry with it the DB optimizations and complexity
  • 20. 06.11.2015 20 API Archetypes The de-facto API Archetypes: • Document – a singleton resource • Collection – a collection of resources • Repository (also known as Store) – a collection of immutable resources • Controller – an action dispatcher *** *** Should be avoided. Explanation later.
  • 21. 06.11.2015 21 API Archetypes Pseudo API Archetypes: • Queue – asynchronous processing of a long operation – can also be a batch operation or a transaction, but not limited to those • Should provide status and progress information • Ex: File processing, order processing, etc. • Transaction – multiple resource operations to be processed in a ALL-OR-NONE manner • The request fails if any of the operation fails. • Any simple action (see Controller) can be also seen/handled as a transaction • Batch – a sequence of resource operations to be processed in sequence • Any failure is reported to the consumer, but doesn’t stop the processing of the batch • Should provide status and progress information • Ex. Batch create, batch update, etc.
  • 22. 06.11.2015 22 API Archetypes: Document • Exposes functionality specific to a singleton resource. • Some standalone documents (ex. ServerInfo), can be read-only • Some collection-owned documents are mutable (can be updated, deleted, etc.) -> parent archetype is a Collection
  • 23. 06.11.2015 23 API Archetypes: Document – Partial Retrieval Partial retrieval allows consumer to limit the transferred information. This leads to better performance and improved customer experience. Limiting the fields: • Specify the fields to be included, as a query string parameter • Specify the fields to be ignored, as a query string parameter • Specify the fields to be expanded (sub-details), as a query string parameter • Specify a predefined view (predefined or custom definition of data retrieval model)
  • 24. 06.11.2015 24 API Archetypes: Document – Partial Retrieval Examples: http://api.domain.com/v1/users?fields=id,firstName,lastName,email,addresses(city) http://api.domain.com/v1/users?excludedFields=email http://api.domain.com/v1/users?view=minimalView http://api.domain.com/v1/users?expand=addresses,previousEmails
  • 25. 06.11.2015 25 API Archetypes: Document – Partial Update Allows consumers to update only those fields that need to be changed This provides faster and better user experience. Two ways: - Specifying the fields to be changed with the new value (partial documents) - Using operation maps
  • 26. 06.11.2015 26 API Archetypes: Document – Partial Update Using partial documents: PATCH /v1/users/1029 HTTP/1.1 Content-Type: application/json X-API-PUBLIC-KEY: D6DB835A-35B1-42B3-8805-8F00F5344BB9 X-API-REQUEST-ID: 5BF75F7E-0A55-40DF-9E79-354B9B162971 { “emailAddress”: ciprian.sorlea@nordlogic.com, “companyName”: “NordLogic” “phoneNumbers” : [“+4074ILOVEAPIS”] }
  • 27. 06.11.2015 27 API Archetypes: Document – Partial Update Advantages of using partial documents: - Request very clean and minimal - Requires very little extra effort to implement Disadvantages: - Hard to add items to lists / arrays, remove values from maps, etc.
  • 28. 06.11.2015 28 API Archetypes: Document – Partial Update Using operation maps: PATCH /v1/users/1029 HTTP/1.1 Content-Type: application/json X-API-PUBLIC-KEY: D6DB835A-35B1-42B3-8805-8F00F5344BB9 X-API-REQUEST-ID: 5BF75F7E-0A55-40DF-9E79-354B9B162971 { “emailAddress”: { “set”: “Ciprian.Sorlea@nordlogic.com”}, “companyName”: { “set” : “NordLogic”}, “phoneNumbers” : { “add” : [“+4074ILOVEAPIS”] } }
  • 29. 06.11.2015 29 API Archetypes: Document – Partial Update Advantages of using operation maps : - More powerful control over what operations are made - Doesn’t require pre-fetching of documents prior to update to get the actual map/list content Disadvantages: - Requests tend to be more verbose, even though just slightly - More effort is needed to implement support for this approach (usually)
  • 30. 06.11.2015 30 API Archetypes: Document – Partial Update PRO TIP: You can implement Partial Update with either approach, or you can combine them and allow patching in either way.
  • 31. 06.11.2015 31 API Archetypes: Document – Partial Retrieval PRO TIP: Combining Partial Update with Partial Retrieval, APIs can offer extreme flexibility for a wide variety of consumers & devices.
  • 32. 06.11.2015 32 API Archetypes: Document – Partial Retrieval PRO TIP: You can implement transactions for updating fields that require additional details on change: Ex. Change status + comment
  • 33. 06.11.2015 33 Document Archetype: URI & HTTP Verbs • Base URI: http://api.domain.com/{version}/{documentID} or http://api.domain.com/{version}/{collection}/{documentID} HTTP Verb Description GET Retrieves the document (complete or partial) PUT Updates a document with the content provided. Only for Collections. PATCH Updates a document fields specified in the content, or applying the specific update operations. Only for Collections. DELETE Deletes the document from the location HEAD Verifies if the given document id exists. OPTIONS Lists the available operations / HTTP Verbs
  • 34. 06.11.2015 34 API Archetypes: Collection Collections provide access to multiple document resources Operations are usually CRUD Collection capabilities: - Pagination - Filtering: using simple filtering or a query language) - Sorting: simple (based on single field) or complex (based on multiple fields) - Partial field retrieval: identical to document level partial field retrieval
  • 35. 06.11.2015 35 API Archetypes: Collection Query String Query String parameters are used to configure collection functionality (ex: sorting, filtering, etc.) Rules & recommendations: - Use same QS parameter names across your entire API, and document them - Ensure you don’t introduce un-necessary constraints by choosing improper names - As long as you don’t confuse your consumers, you can allow aliases for some parameters Ex: - Page & PageSize work for a basic pagination but not for continuous scrolling – improper naming - Start & limit work for any data pagination scenario - Offset/From and count can be aliases to start & limit
  • 36. 06.11.2015 36 API Archetypes: Collection Query String Pagination Ex: http://api.domain.com/v1/users?from=100&count=10 http://api.domain.com/v1/users?count=10 (uses a default offset/start)
  • 37. 06.11.2015 37 API Archetypes: Collection Query String Sorting - can be simple (single field + direction) or complex (list of fields, with specific sort orders) - can be applied on 1st level fields or on details (expanded content) Ex: http://api.domain.com/v1/users?sortBy=email,sortOrder=DESC http://api.domain.com/v1/users?orderBy=name:ASC,email:DESC,contactInfo.phone
  • 38. 06.11.2015 38 API Archetypes: Collection Query String Filtering: - Simple filters (all filters are of type EQUALS): http://api.domain.com/v1/users?email=Ciprian.Sorlea@nordlogic.com http://api.domain.com/v1/users?companyName=Nordlogic&role=developer - Advanced filters (specify the operation: EQ, NE, GT, LTE, etc.) http://api.domain.com/v1/users?companyName=LIKE:*logic&role=NE:qa - Query (use a pseudo query language): http://api.domain.com/v1/users?query=companyName like ‘*logic’ and role not eq ‘QA’ http://api.domain.com/v1/users?query=name eq ‘John’ or name eq ‘Bill’
  • 39. 06.11.2015 39 Collection Archetype: URI & HTTP Verbs • Base URI: http://api.domain.com/{version}/{collection}/ HTTP Verb Description GET / Retrieves a list of paged, filtered and sorted documents, complete or partial GET /{docID} Retrieves the document (complete or partial) POST / Creates a new document in the collection HEAD Can be used to check if data exists given the provided filters and paging DELETE Purges the collection. Recommended for Development only. OPTIONS Lists the available operations / HTTP Verbs
  • 40. 06.11.2015 40 Collection Archetype: Response Few tips: - Always echo the pagination details (ex. offset & count), to provide context - Give more details about the rest of the data (is there more?). Ex: maxRows - Don’t include empty/null fields and ensure (through documentation) your consumers handle that. (This applies to single documents as well)
  • 41. 06.11.2015 41 API Archetypes: Repository Repositories provide access to multiple immutable document resources Operations are usually CRD (Create, Retrieve, Delete) Updates to documents within Repositories MIGHT happen behind the API level Nice to have capabilities: - Capped repositories: limit data to most recent X records - Auto Expiration: automatically delete data older than X days/hours/minutes - Tailing options: retrieve latest X records
  • 42. 06.11.2015 42 Repository Archetype: URI & HTTP Verbs • Base URI: http://api.domain.com/{version}/{repository}/ HTTP Verb Description GET / Retrieves a list of documents with limited capabilities (ex. Tailing over the records in an audit/trace log). Nov very common. GET /{docID} Retrieves the document (complete or partial). POST Creates a new document in the repository HEAD When GET is also implemented, this can be used to check if data exists. DELETE Purges the repository. Recommended for Development only. OPTIONS Lists the available operations / HTTP Verbs
  • 43. 06.11.2015 43 API Archetypes: Controller Allows execution of application specific actions that cannot be mapped with any of the CRUD methods (specific to collections or repositories). Should be avoided as much as possible. Actions should be reconsidered as one of the proposed pseudo-archetypes: batch, queue, transaction. This would allow execution to be more manageable and traceable.
  • 44. 06.11.2015 44 Controller Archetype: URI & HTTP Verbs • Base URI: http://api.domain.com/{version}/{param1}/{param2}/{controllerAction} HTTP Verb Description POST Executes the specific action, with the given parameters
  • 45. 06.11.2015 45 API Archetypes: Queue Allows execution of application specific actions (jobs) in an asynchronous way, while allowing proper management and traceability of the action. Each action, once queued, has an identifier and a status. Therefore each action becomes a Resource. Upon completion, the job document can embed the job result or can provide a link to the actual result.
  • 46. 06.11.2015 46 Queue Archetype: URI & HTTP Verbs • Base URI: http://api.domain.com/{version}/{queue}/ HTTP Verb Description GET /{id} Retrieves the queued job status, progress information and execution result – if available. POST Submits a new job into the queue and retrieves the job identifier. DELETE /{id} Cancels a job (if the status allow the operation to be canceled) OPTIONS Lists the available operations / HTTP Verbs
  • 47. 06.11.2015 47 API Archetypes: Transaction Allows execution of application specific actions in transactional manner. Transactions can be asynchronous (see queues) or asynchronous. In case of synchronous transactions, response contains the transaction result.
  • 48. 06.11.2015 48 Transaction Archetype: URI & HTTP Verbs • Base URI: http://api.domain.com/{version}/{queue}/ HTTP Verb Description GET /{id} Retrieves the transaction status, progress information and execution result – if available. POST Submits a new transaction to be processed. DELETE /{id} Stops/cancels a transaction (in case of asynchronous/queued transactions) OPTIONS Lists the available operations / HTTP Verbs
  • 49. 06.11.2015 49 API Archetypes: Batch Allows execution of application specific actions over multiple records / bulk processing. Batches must always be asynchronous, and the behavior is identical to Queues. Progress information is mandatory in case of batches.
  • 50. 06.11.2015 50 Batch Archetype: URI & HTTP Verbs • Base URI: http://api.domain.com/{version}/{batch}/ HTTP Verb Description GET /{id} Retrieves the status, progress information and execution result – if available. POST Submits a new batch job to be processed. DELETE /{id} Stops/cancels a batch job OPTIONS Lists the available operations / HTTP Verbs
  • 51. 06.11.2015 51 Pseudo Archetypes PRO TIP: You can combine Queues with Transactions and Batches in any way you want. Just make sure things make sense 
  • 52. 06.11.2015 52 Pseudo Archetypes PRO TIP: Sometimes you might want to have, for each Pseudo Archetype, a validation equivalent. Helps your applications/integrations cause less frustrations.
  • 53. Error Handling how do we handle errors & failure?
  • 54. 06.11.2015 54 API Error Handling Use specific HTTP Error Codes where appropriate for application logic specific errors. Ex: - 401 Unauthorized: errors with authentication / authorization - 404 Not Found: document does not exist - ….
  • 55. 06.11.2015 55 API Error Handling Response body should always contain: - Error code – what happened, coded for analytics - Error message – human readable message, localized to user’s profile - Error details – the context on the error. Nice to have: - Error ID – id of the error, generated by the lowest level module where the error occurred. Should also propagate and find itself in the log files. - Flow ID – if possible, for cross-app tracking
  • 56. 06.11.2015 56 Pseudo Archetypes PRO TIP: Certain operations can generate multiple errors (ex. multiple validation errors). If applicable, provide a list of errors in the response instead of providing just the first error encountered.
  • 57. 06.11.2015 57 Pseudo Archetypes PRO TIP: Don’t provide too much details in the error messages. Consider privacy and security before anything else.
  • 58. Testing how do we make our API bullet proof?
  • 59. 06.11.2015 59 API Testing Option 1: - Develop API Client along the actual API Service - Build Automated tests using the API Client, using the same programing language
  • 60. 06.11.2015 60 API Testing Option 2: - Build Automated tests using a dedicated API Testing framework • http://frisbyjs.com/ • https://github.com/mkotsur/restito • https://github.com/rest-driver/rest-driver • https://github.com/dareid/chakram
  • 61. 06.11.2015 61 API Testing Option 3: - Use dedicated 3rd Party apps or Browser Plugins • https://www.getpostman.com/ • http://www.soapui.org/rest-testing/getting-started.html
  • 62. Security how do we protect our data (or ourselves)?
  • 63. 06.11.2015 63 Securing Rest API Simple rules: - Use disposable authentication tokens - Implement authentication mechanisms good for your target audience Ex: OAuth2 works very well for web and mobile, but does it work for enterprise? - Use granular roles & access rights for each resource model - Take the multi-tenancy into account from start - Use & require HTTPS whenever sensitive data is in transit - Encrypt any sensitive data at rest
  • 64. 06.11.2015 64 Securing Rest API Preventive & Enterprise Ready Security: - Audit any failed authentication / authorization - When using sessions, ensure the expiration time can be configured - Lock/disable authentication tokens after a configurable number of failed authentication attempts - Use a whitelist / blacklist for request filtering - Implement overall rate limits as well as application / token specific limits - Validate any data coming IN. Never take things for granted.
  • 65. 06.11.2015 65 Securing Rest API Preventive & Enterprise Ready Security: - Require (configurable) password strength - Use password expiration - Log Remote IP, User-Agent (and Application ID, if possible) with any request - Pass authentication tokens in the request headers, not in URL/Query String - Filter unaccepted query string parameters from URL’s - Escape/strip any textual information accepting user input
  • 66. 06.11.2015 66 Pseudo Archetypes PRO TIP: NEVER, EVER, EVER, EVER TRUST YOUR USERS.
  • 67. Manageability how can we manage our API and support it operation- wise?
  • 68. 06.11.2015 68 Managing Rest API & Supporting Operations Simple rules: - Log everything, almost everything. - Implement usage analytics and metrics - Time any operation, build performance metrics and alerts - Build operational dashboards, enable error notifications - Use change logs & audit trails for sensitive data - Require “4 eyes check” rule on any major change performed by admins - Use infrastructure as code
  • 69. Evolution how do we ensure our API is future-proof?
  • 70. 06.11.2015 70 Future proof your API Simple rules: - Version your resource models and archetypes from the beginning - Any new version of the resource model should extend the previous versions - Establish a support plan from first public release - Classify your API’s as public, private & unsupported to ensure phased adoption
  • 71. Adoption how do we make sure our API will be adopted?
  • 72. 06.11.2015 72 Ensuring APIs adoption - Make it easy to get started - developers should be 1 CURL request away from their first API call. - Provide good and clear documentation. - Provide SDK’s / client libraries and samples for most popular development platforms and languages of your target audience.
  • 73. 06.11.2015 73 Ensuring APIs adoption - Ensure your business logic & rules don’t have to be guessed and duplicated by developers in their own apps (ex. validation rules). - Eat your own dog food. Use your API to build your other products / integrations. - Don’t introduce breaking changes. Plan to support your public API releases.
  • 74. 06.11.2015 74 Ensuring APIs adoption PRO TIP: Deliver VALUE, not just JSON or XML.