The document discusses the management of APIs, focusing on security through OAuth 2.0, monitoring capabilities, and the monetization of APIs. It outlines various grant types for obtaining access tokens, the use of scopes for fine-grained authorization, and the integration of external OAuth servers. Additionally, it emphasizes the significance of API analytics for different stakeholders and the potential for leveraging APIs to enhance business strategies.

1. Securing, Monitoring and
Monetizing APIs
Nuwan Dias
Technical Lead
WSO2

2. What is a Managed API?
● Advertising APIs
● Controlled Subscriptions
● SLAs
● Securing
● Statistics and Monitoring
● Monetization

3. API Security
● Identity Delegation

4. API Security
OAuth 2.0
● Has become the de-facto standard for API Security
● Predeceasing from the OAuth 1.0 and OAuth WRAP
● Primarily operates on an Access Token
● Introduces Grant Types and Token Types
● Common Terminology Used
○ User
○ Client
○ Resource Server
○ Authorization Server

5. Using Access Tokens

6. OAuth 2.0 Grant Types
● A grant type defines how a client obtains an access token
● OAuth 2.0 specification defines 4 major grant types
○ Authorization Code
○ Implicit
○ Resource Owner Password Credentials
○ Client Credentials
● Other popular grant types
○ JWT-Bearer
○ SAML 2.0 Bearer Assertion
● The WSO2 API Management and Identity Platforms Supports
almost all these grant types out of the box and provides
ability to extend and introduce custom grant types as well!

7. Fine Grained Authorization
through OAuth Scopes
● A scope defines a particular action performed by a Resource.
● A scope can be restricted to a particular user role

8. Fine Grained Authorization
through OAuth Scopes
● Protecting a Resource through a Scope

9. Fine Grained Authorization
through XACML
● XACML - eXtensible Access Control Markup Language
● WSO2 Identity Server’s support for XACML can be utilized as a
means of protecting Resources at a finer grained level

10. Authorization through Identity
Federation
● Perform Authentication through external IDPs

11. Integrating with an external
OAuth Server
● The WSO2 API Management platform offers the capability of
integrating with an external OAuth server and operating on
access tokens/keys offered by the external server.

12. {JWT}
• JSON Web Token is compact URL-Safe means of representing claims to be
transferred between two parties. The claims in a JWT are encoded as a
JSON object that is digitally signed using JSON Web Signature (JWS).
{
"alg": "RS256",
"typ": "JWT"
}
{
"sub": "1234567890",
"name": "John Doe",
"admin": true
}
RSASHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
…

13. Advanced API Security by
Prabath Siriwardena

14. Monitoring Your APIs
Monitoring and
Statistics
Operational
• Scaling Up Systems
• Upgrading System Resources
Business
• For expanding your business
and API Ecosystem

15. Operational Insights - Why
they Matter
• Production Systems don’t just operate on a single VM
• Operational conditions change over time
• Performance Implications - How to find out Why?
• Avoid applying the wrong fix

16. Message Tracing using WSO2
DAS and CEP
• Find out what happened to your message

17. Using WSO2 CEP for Real
Time Analytics
• Identify Access Patterns and propose new Business Models
• Threat Identification
• Trigger Alerts/Notifications on failures and risks.
• Performance monitoring of Servers
• Monitor Response Times

18. Parties Involved in an API Eco
System

19. Interests of Parties in the API
Eco System
Business Owners
• Goals - Increase Sales, Retain Existing Customers, New Business
Strategies
• Needs - Commonly Moving Items, Customer Trends, Possible Store
Locations
API Creators
• Goals - Design Better APIs, Increase API Usage
• Needs - Call Frequency, Response Times, Access Patterns
Application Developers
• Goals - More App Downloads, Better User Experience, Higher Availability
• Needs - Call Count, Device Types, Access Locations
The Analytics platform should cater to needs of all interested parties!

20. Batch Analytics using WSO2
DAS

21. Some stats offered by default
General API/Resource Usage
API Response Times
API Usage by User
API Usage by Application(s)
Top Users per Application
Faults by API
Stats based on API endpoint
……

22. Integration with Google
Analytics
Identify Geographical Usage

23. Integration with Google
Analytics
Identify Usage by Device

24. Benefits of Stats offered by
Google Analytics
• Application Developers
• Find out on which platforms APIs are used most - Improve those UX on
those platforms
• Identify languages to be supported based on geographical usage
• API Developers
• Prioritise development/testing for platforms on which the API is used most
• Determine languages to be supported by the API.
• Business Owners
• Determine where best to open up a new Store
• Introduce regional varieties.

25. API Monetization
• Relevance of APIs today are expanding beyond the IT
department. Why?
• Consumer demand for seamless experience is driving the
need for unprecedented integration.
• Only few direct Monetization strategies actually work. Ex:
Amazon.
• Enterprises today are “Data Rich”. APIs can help unleash the
power of enterprise data in support of a digital strategy.
• The inability to monetize APIs directly is not necessarily a lack
of revenue opportunity.

26. Exposing Data as APIs
• WSO2 offers the perfect platform for aggregating, organising
and exposing your enterprise data for consumption by third
parties.

28. Thank You