PATTERNS FOR AUTOMATING
API PRODUCT DELIVERY
By Ikenna Nwaiwu
About me
• API Consultant @ Ikenna Consulting
• We help organisations increase the value of
their APIs and lower the cost of API delivery.
• Author, Automating API Delivery
(Manning, 2023)
• Let’s connect
https://www.linkedin.com/in/ikenna
(if at the conference, get free book code!)
Goal of this talk
• Show how to use four control patterns to reduce risk and
improve the value of your API.
Participate
• Content and code example repo
https://github.com/IkennaConsulting/patterns-for-api-
delivery
• Join at Slido.com #1443618
Agenda
Intro to the Pattern Format
1 – API Consistency Controls (API linting)
2 – Breaking Change Controls
3 – API Conformance Controls
4 – Code Generation Controls
Conclusion
Intro to the Pattern Format
Why these control
patterns?
At a high level, API development
processes face common problems
that have common solutions.
Why these control patterns?
Help improve the developer
experience of your API
Help improve your operational
efficiency
The pattern format I'll use for each pattern
Problem/Why?
Countermeasure
How it fits in the automated governance framework
Benefits
Code example
Challenges
Contraindications (when not to use it)
Tips + What to look out for when choosing a tool
Alternative patterns/practices
Pattern 1:
API Consistency Controls
(Linting)
The problem
When multiple teams in an org build APIs, standardisation and
inconsistency problems arise.
51% of the respondents to the 2023 Smartbear State of Software
Quality | API report sited standardisation as the biggest challenge in
API development.
The problem
There is no time to read, remember and apply all the details of
your API style guides.
43% of the respondents of the Postman State of API 2023 report
sited lack of time as the biggest obstacle to producing APIs.
The problem
Teams applying DevOps face a high cognitive load.
The 3rd highest obstacle to producing APIs in the Postman
survey is the lack of API design skills.
Countermeasures
Use API linting tools to
enforce API style guides
and standards.
Integrate the API linting
tool with your CI/CD
pipeline.
Automated
governance
framework
Benefits
Improved API consistency
and developer experience
for the API consumer.
Improved lead time in API
design.
Improved API security at the
design stage.
Reduce time, toil and mental
effort spent on design
debates and API reviews.
Code example
Redocly CLI
Optic
Vacuum
Spectral
AI-assisted linting with Anthropic
Specialist artefact linters
https://github.com/IkennaConsulting/patterns-for-api-
delivery/blob/main/.github/workflows/api-consistency.yml
Challenges with applying this pattern
No style guide on which to base the linting rules
API definitions not in version control
Writing rules takes effort
No API platform/governance team to support the rules
Contraindications
• The early part of product development
• Non-important API
Tips. When picking a linting tool, consider:
Speed!
Good error messages
Ease of writing rules
Extra features of CLIs: managing API definition files
(bundling, splitting, joining, etc.)
Tips
Do start linting even if you don't have a style guide
Lint in the pipeline.
Provide docs & tools for linting locally (editor, CLI) for fast feedback.
You may need more than one kind of linter
Alternatives
Manual API design reviews and checklists
Pattern 2:
Automated Breaking
Change Controls
The Problem
Breaking change: A change to an API that requires existing client integration
code to change.
Breaking changes can come from:
A change in the API definition.
A change in the code or API config not
reflected in the definition.
The Problem
Real customer quote 1: "You should
stop doing breaking changes to the
API ASAP. If you do not, as a
business, you will lose a massive
amount of customers and lose
reputation.”
Real customer quote 2: "The way
[company] handles API changes is
going to impact our business since
we consume the data in production.
We are left without any solutions or
guidelines. We found out a bit late
about the breaking change that is
going to happen tomorrow..."
Countermeasures
Have a clear API versioning strategy that minimises disruption to
existing client integrations.
Use breaking change detection tools.
Give visibility of changes with a comprehensive API change log.
Automated
governance
framework
Benefits
Better API adoption
Reduce customer
attrition
Reduced support and
rework costs
Lower cognitive load for
producers and
consumers
Code example
Tufin/Oasdiff
UseOptic/Optic
Pb33f OpenAPI-Changes
Bump.sh
https://github.com/IkennaConsulting/patterns-for-api-
delivery/blob/main/.github/workflows/breaking-checks.yaml
Tips
Have well-defined breaking
change rules.
https://github.com/Tufin/oasdiff/blob/
main/BREAKING-CHANGES-
EXAMPLES.md
Generate and publish an API
change log in a standard format.
Example standard format
https://keepachangelog.com/en/1.0.0
Challenges with applying this pattern
The absence of a provider’s breaking change policy relegates the
decision to the tool used.
Handling deprecations
Contraindications
• New product
development - early
part of product life
cycle
Alternatives
Manually detect changes in API design reviews
For internal APIs - consumer-driven contract testing
Pattern 3:
API Conformance Controls -
Conformance tests
The Problem
The API reference can become inconsistent with the actual API
implementation.
52% of the respondents to the 2023 Smartbear State of Software Quality |
API report cited documentation being out of sync as the 2nd largest
hindrance to API documentation
The Problem
"It ain’t what you don't know that
gets you into trouble. It's what you
know for sure that just ain't so." –
Mark Twain
Countermeasure
Run conformance (also called contract tests) to ensure public API
reference (especially the schema) is in sync with implementation.
Better suited for public APIs, than for internal APIs whose evolution can
be managed with consumer-based contract testing techniques (e.g Pact)
Automated
governance
framework
Benefits
Reliable, trustworthy documentation
Better developer experience
More correct SDKs and other generated artefacts
Lower support costs from defects
My typology of conformance tests
Code-based end-to-end
schema test.
Code-based controller
schema test.
Fuzzer schema test: Auto-
generated end-to-end
schema test with a fuzzing
tool.
End-to-end schema testing
with validating proxy.
Code example
Pb33f Wiretap
Schemathesis
https://github.com/IkennaConsulting/patterns-for-api-
delivery/blob/main/.github/workflows/conformance-
checks.yaml
Challenges
• Conformance testing is expensive to run end-to-end as part of
regular test suite for a public API.
Tips
Run on PR changes (lightweight)
Minimise running large end-to-end conformance test suites (expensive)
Multiple controls helpful - testing conformance + generating code from specs
Aim to detect undocumented properties. Set additionalProperties:false before
test runs using: https://github.com/NickHeap2/add-props-flipflop
Contraindications
Code-first development
Good server stub code
generation minimises the
need for conformance tests
Alternatives
Generate code from
specs (API design-first)
Generate spec from
code (code-first)
Internal APIs -
consumer-driven
contract testing (but
not for public /
external APIs)
Pattern 4:
Code Generation Controls
Problem
OpenAPI
definitions that
cannot be used to
generate SDKs
01
No SDKs – long
time to first hello
world.
02
Drift between API
definition and
server code.
03
Countermeasures
• Use a code generation library to generate API client and server-
stub code from your API definition
Benefits
Lower cognitive load for API consumers 'SDK first experience'
Save development time for API consumers and API producers
Reduce API definition drift
Code example
Fern
Microsoft Kiota
OpenAPI Generator
https://github.com/IkennaConsulting/patterns-for-api-
delivery/blob/main/.github/workflows/code-generation.yaml
Challenges
• Poor quality API definitions
• Maintenance overhead. If multiple SDKs, cost of
• addressing specific issues for each SDK
• deployment pipeline, documentation for each
• Resource allocation
• Release management
• tracking SDK version and use by clients
• testing SDKs to avoid breaking changes
Tips
• Consider using SDK code generation as a service like Speakeasy and
Apimatic
Contraindications
• No budget / resources to support client SDKs
Alternatives
Client hand-
coded
integration
Provider hand-
coded client
SDKs
Provider hand-
coded server
stubs
Conclusion
Conclusion
If you are building lots of APIs, consider these four controls in your API delivery
process: API consistency controls / linting, breaking change controls, API
conformance controls and code generation controls.
You may need to use more than one tool for each control. Experiment with the
tools.
The goal is to reduce risk and improve the value of your API.
Questions ?
• Join at Slido.com #1443618
• Let’s connect https://www.linkedin.com/in/ikenna
(if at the conference, get free book code!)
• Content and code example repo
https://github.com/IkennaConsulting/patterns-for-api-delivery

Patterns for automating API delivery. API conference

Editor's Notes

  • #3 "Automating API Delivery is my go-to source to help solution architects and API development teams understand how to introduce API governance processes" - Mark Body "When it comes to scaling the API practice for both speed and scale, this book goes deep into the details of how to manage APIs in an effective and scalable way" - Eric Wilde
  • #22 Even the most basic linting rules (e.g. the OpenAPI file is valid) can save a lot of time. It's easy to add more rules later. (e.g. for SDKs, documentation portal, gateway config, guide docs)