The document outlines the importance of APIs in achieving digital transformation by enhancing customer experiences through connected services. It discusses key performance factors for API ecosystems and various deployment options, including on-premise, cloud, and hybrid solutions. The presentation emphasizes security, integration, and analytics as vital components of effective API management.

1. APIs: The Gateway to Digital
Transformation
Nuwan Dias
Director - WSO2
February 22, 2018

2. Agenda
● What is digital transformation
● Why and how APIs play a key role in digital transformation
● The key performance factors of an API ecosystem
● Deployment options for your API ecosystem
2

3. Digital
transformation is all
about creating a
“Digital Experience”
for your customers

4. It’s not just about
becoming “Paperless”

5. It’s about building a “Connected Experience”

6. U B E R
6
Add Diagram

7. Connected Experience - APIs Complementing Each
Other
7

8. A Digital Platform
8
People Apps APIs Services and
Data

9. Key Performance Factors of an API Platform
● Security
● Rate Limiting
● Integration
● Analytics
9

10. 10
10
Security
Rate
Limiting
Integration
Analytics
Gateway
Apps Services and
Data
API Gateway

11. 11
Components of an API Management System

12. 12
● Start with an existing endpoint/contract or design and prototype a new API
● Exposing SOAP services (convert to REST or as a passthrough)
● Exposing streaming APIs (Websocket endpoints)
Creating APIs

13. 13
● API Design - Over the wizard & with Swagger
Creating APIs

14. 14
● Point to a production backend or prototype at the gateway
Implementing and Publishing

15. 15
Discovering and Registering for APIs

16. 16
● Encapsulate the client application
● Associates OAuth2 keys
● Supports different integration
patterns for application security
through OAuth grant types
● Pre-generated access tokens for
testing
Registering Applications

17. Security: Identity
● Authentication
● Single Sign-on
● Federation
● Authorization
17
Authenticate via Facebook to Airbnb APIs

18. Security: Access Delegation
● Secure Trusted Clients
● Secure Untrusted Clients
● Unsecure Clients
● System to System Auth/z
18
People Apps

19. 19
● Resource Owner Password Credentials
● Client Credentials
● Authorization Code
● Implicit Grant
OAuth 2.0 Grant Types

20. 20
● The resource owner password credentials grant type is suitable in
cases where the resource owner has a trust relationship with the
client (e.g. a service’s own mobile client) and in situations where
client can obtain the resource owner credentials.
Resource Owner Password Credentials

21. 21
● This grant is suitable for machine-to-machine authentication or for a
client making requests to an API that does not require the user’s
permission. This grant should be allowed for use only by trusted
clients.
Client Credentials

22. 22
● The authorization code grant type is optimized for confidential
clients.
● This grant type is suitable when the resource owner is a user and the
client is a website.
Authorization Code

23. 23
Authorization Code

24. 24
● The implicit grant type is optimized for public clients known to
operate a particular redirection URI.
● It is mainly used for clients that are not capable of keeping the
client’s own credentials secret; for example a 'JavaScript only'
application
Implicit Grant

25. 25
Implicit Grant

26. 26
Federated Identity
● E.g. Enable Facebook login for your application

27. Passthrough Security Context
27
Security
Rate
Limiting
Integration
Analytics
Gateway
Apps Services and
Data
Access Token Signed JWT

28. Rate Limiting: Front End
● Monetization
● Burst Control
● Fair Usage Policy
● Geographical Distribution
● Distribution by Device Type
28
People Apps Gateway

29. Rate Limiting: Back-End
● Prevent Total Service Outage at Peaks
● Back-End Server Maintenance
29
Gateway
Services
and Data

30. 30
Integration
30
Interface
Integration

31. 31
Integration

32. Analytics: Statistical Analysis
32

33. Analytics: Operational
● API Latency Distribution
● Alerting on Abnormalities
● API Health
33

34. API Management: Deployment Options
On-premise
● Fast!
● Tight security
● Complete control
● Limited to available infrastructure
● Need to handle updates and upgrades
34

35. API Management: Deployment Options
Cloud
● Can leverage cloud infrastructure
● No infrastructure costs
● No maintenance costs
35
Apps Gateway Cloud Services

36. API Management: Deployment Options
Hybrid Cloud
36
Apps Management Cloud Services
Local
Gateway
Internal Services
Cloud
Gateway

37. Micro Gateways: For Microservices
37
Gateway 1
Gateway 2
Gateway n
Service 1
Service 2
Service n

38. Stages of the API Proxy
38

39. 39
API Development Lifecycle

40. Multitenancy: Shared
40
Runtime
Data
Tenant 1 Tenant 2 Tenant n

41. Multitenancy: Shared Multitenancy: Isolated
41
Runtime
Data
Tenant 1 Tenant 2 Tenant n
Runtime
Data
Tenant 1 Tenant 2 Tenant n

42. THANK YOU
wso2.com