The document provides an overview of WSO2 API Manager 2.0.0, detailing its features for creating, protecting, managing, and analyzing APIs, alongside its deployment and developer portal capabilities. It highlights the platform's competitive advantages, such as its open-source nature, scalability, and comprehensive functionality across various types of deployments. Additionally, it covers API security measures, lifecycle management, monetization options, and the integration of analytics for optimizing API usage and performance.

1. WSO2 API Manager 2.0.0
Overview

2. Agenda
o Introduction
o Creating APIs
o Protecting APIs
o APIs Lifecycles
o Developer Portal
o Testing APIs
o API Gateway
o Deployment
o API Analytics

3. Introduction

4. APIs for Business Innovation
o API - Business capability offered via a digital channel
o Open internally and/or externally
o Monitored
o In some cases, monetized
o Fuel for rapid innovation, development of new apps
Image: thinkpublic/photopin cc

5. API Management Platform

6. WSO2 API Manager
o The only complete, 100% open source API Management solution
o A cleanly integrated system supporting API publishing, lifecycle
management, developer portal, access control and analytics
o Backed by high performance gateway
o A single node supports more than 100 million requests/day
o eBay handles up to 4.6 billion requests per day at peak times
(Cyber Monday)
0
7500
15000
22500
30000
June-Dec 2013 Jul-Dec 2014 Jul-Dec 2015
Product Downloads
0
28
55
83
110
138
Dec 2014 June 2015 Dec 2015
Production Customers

7. WSO2 API Manager cont.
o Includes Social enablement such as ratings and tagging
o Supports single-sign on with Facebook, GoogleApps, etc.
o Named a Strong Performer in this space by Forrester in 2014 and
2015
o Best API Design across all vendors
o Best Solution Cost for on-premise solution
o Extremely Satisfied customers
o Available on-premise, as managed deployment and as SaaS
application (API Cloud)

8. Competitive Advantage
o API Management is part of a complete platform
o Integration
o Security (Identity Management, Federated Identity)
o API Analytics
o Open Architecture
o Custom security tokens and grant types
o Custom store/developer’s portal user interface
o Custom user’s repositories
o Custom transports to back-end
o Available on-premise, as managed offering, as SaaS offering -
Same code everywhere

9. Competitive Advantage cont.
o Scalable Architecture
o Each component (Gateway, Dev Portal, Admin Portal, Key Server)
can be deployed and scaled separately
o Over 5000 TPS for a single node
o Business Model
o Subscriptions only for production systems - Makes cost very
competitive
o Pricing is adapted to small, medium and enterprises customers
o Cost linked to instances, not to machine power
o No community vs. enterprise distinction

10. Typical Use Cases
o Expose APIs for internal
consumption
o Manage APIs used in
internal applications
o Internal Monetization
o Control Access to Cloud Services - Manage and secure access from
internal applications to cloud services (e.g. SalesForce and Google Apps)
o APIs for public consumption
o Extend your business through APIs
o Integrate with partners and customers

11. API Manager Components

12. Creating APIs

13. Getting Started
o For REST - Start from existing API definition (Swagger 2.0) or
start from scratch
o For SOAP - Start from WSDL and generate default mapping and
definition

14. REST API Editing
o Basic editor to create the API structure

15. REST API Editing cont.
o Swagger editor (YAML-based) for advanced editing, configuration,
etc.

16. API Documentation

17. Protecting APIs

18. API Access Tokens
o OAuth2 standard compliant
o Supports multiple Grant
Types
o SAML, IWA/NTLM
o Client credentials, Implicit,
Password
o Pre-generated Access
Token - Mostly used for testing
o On-demand Access Token -
Generated via API call to the
Gateway, using any of the
supported Grant Types
o Tokens can be refreshed/
revoked via API calls as well

19. Pluggable OAuth Authorization Server
o OAuth token management is by default done with WSO2’s Key
Server (based on WSO2’s Identity Server)
o Can be replaced by third-party authorization server, capable of
creating, refreshing, validating, revoking OAuth tokens

20. Limiting Access to API Resources
o Achieved through OAuth scopes - Scope defines what can be
accessed by a token
o How to request a token
grant_type=password&username=john&password=john123&scope=news_read news_write

21. Throttling & Rate Limiting
o Throttling
o Regulates API traffic
o Makes APIs and applications available to consumers at different
service levels
o Secures APIs against security attacks (e.g. DoS attacks)
o Throttling is controlled through tiers-based policies - A tier is defined
by a time duration and a maximum no of requests during that duration
o Tiers can be applied at application, API and API resource levels

22. Throttling & Rate Limiting cont.
o At subscription time, API users can choose tiers they can
subscribe to - This default behavior can be overridden through
usage of workflows
o Throttling policies encompasses:
o Standard usage quotas of total subscriptions and resources
o Rate limiting based complex, extensible and dynamic rules,
scenarios and events
o Complex throttling policies (with transport headers, IP addresses,
etc.) can be created on the fly
o Facilitates blacklisting users/applications abusing rate limits

23. Throttling & Rate Limiting cont.

24. JWT Token Creation
o Using JSON Web Tokens
(JWT)
o Lightweight
o Can be signed
o Easy to parse and consume
o Standard
o JWT Structure {token info}.
{claims list}.{signature}
o Base-64 or Base64 URL
Encoded
o Contents of JWT are
configurable

25. API Lifecycles

26. API Lifecycle Management
o Create new APIs from
existing versions
o Deploy multiple versions in
parallel
o Deprecate versions to
remove them from store
o Retire them to un-deploy
from gateway
o Keeps audit of lifecycle
changes
o Supports custom lifecycles
leveraging WSO2
Governance Registry

27. Developer Portal

28. Discover APIs
o Users can search APIs by name, provider, version number,
context, description, meta-data from docs, etc.
o Tags to easily find all APIs related to a same domain
o Notifications on new API versions

29. Social Features
o Share with fellow developers via social media or mail
o Embed API link into blogs, Tweets, etc.

30. Forums
o Rich editor embedded within interface
o Forums are searchable and indexed

31. Customization
o All API store functionality available through REST API
o Customization through CSS, HTML5, JavaScript

32. Monetization
o Configurable payment schemes to monetize API usage
o Monetization rules are associated to Tiers
o Supports Free, Paid, Freemium models
o Usually coupled with 3rd party invoice/payment plans software
(such as Zuora)

33. Testing APIs

34. Embedded API Console
o Part of Swagger tooling suite
o Integrates token access for fast testing
o Gives direct access to Swagger definition of API
o Support Swagger schemas for predefined values

35. Testing via ReadyAPI’s SOAP UI

36. API Gateway

37. API Gateway Processing Workflow

38. Message Transformation and Mediation
o Custom mediation flows can be created by a developer and just
engaged by API Creator
o Mediations flows can be created using Developer Studio and directly
published to API Manager
o Full power of WSO2 ESB mediation language
o Graphical and Source view
o Mediations flows are tenant-specific (not visible/usable across tenants)

39. Workflows
o Provides extension point to engage custom workflow
o Default sample implementation leverages WSO2 Business Process
Server but a simple Java-based implementation or another BPM
engine can also be used
o Supports redirecting to third-party entities
o Available for user self-sign up, API subscription and application
creation

40. Deployment

41. Component Deployment
o Out-of-the-box, all components are packaged together
o They can also be deployed separately in an HA scenario – Active/
Active, Active/Passive

42. Component Deployment cont.

43. Multi-tenancy
o Creation of multiple domains (tenants)
o Each domain can have their own store or publish APIs to a central
store - This is transparent to consumers
o Typical Use Cases
o Segmenting publishers by business unit or partner and restricting
editing rights by domain
o Create an API marketplace - one-stop store for domain APIs
o API Cloud heavily leverages this functionality

44. Recommended Deployment: API Facade Pattern
o API Gateway acts as simple reverse proxy, enforcing policies and
collecting monitoring information
o Specific security checks/protection at edge of the network
o Invalid requests are stopped at the edge of the network
o Clear separation of concern between layers
o The mediation and API management layers scale independently
o You can combine the Façade and Mediation layers (if required)
and run as a single architecture layer

45. WSO2 Platform Deployment Options
o Stand-alone servers
o Private clouds:
e.g. Stratos, Kubernetes
o Public Clouds:
e.g. AWS
o Hybrid deployments
o Dedicated hosting of any WSO2-
based solutions
o WSO2 operations team is
managing the deployment and
keeps it running
o 99.99% uptime SLA
o Any AWS region of choice
o Can be VPNed to local network
o Includes monitoring, backups,
patching, updates
o Shared public cloud,
o Currently available for application
and API hosting (hosted API
Manager and App Factory),
o Preset multitenant deployment in
AWS US East run by WSO2,
o Month-to-month credit card
payment

46. API Analytics

47. Analytics
o WSO2 API Manager out-of-the-box supports Google Analytics and
WSO2 Analytics

48. Importance of API Management & Analytics
Combination
o Build confidence in the API model
o Understand your customer - Not just the developer but also the end-
user of APIs
o Helps manage services and versions - Understand when deprecated
services can be retired
o Be notified when abnormal events take place
o Plan better
o Monitor the growth of aggregated API traffic
o Monitor the growth of specific apps

49. WSO2 Analytics Platform

50. WSO2 Analytics Platform cont.
o Out-of-the- box reports covering all aspects of
o Subscriber behavior
o API usage
o Performance
o Can publish your own events from any API and build your own
dashboards

51. Reports for API Creators & Publishers
o Stats on APIs
o Published APIs Over Time
o API Usage
o API Response Times
o API Last Access Times
o Usage by Resource Path
o Usage by Destination
o API Usage Comparison
o API Throttled Requests
o Faulty Invocations
o API Latency
o API Usage Across Geo
Locations
o API Usage Across User Agent
o Stats on Applications
o App Throttled Requests
o Applications Created Over Time
o Stats on Subscriptions
o API Subscriptions
o Developer Signups Over Time
o Subscriptions Created Over
Time

52. Reports for API Creators & Publishers cont.

53. Reports for API Subscribers
o API Usage per Application
o Top Users per Application
o API Usage from Resource
Path per Application
o Faulty Invocation per
Application

54. Real-time API Behavior Analysis
o Leverages real-time analytics streaming engine
o Detects fraudulent token usage - Indication of lost tokens via alerts on
abnormal token renewals and unseen source IP access (abrupt changes to geo-
location)
o Supports API product managers to provide better customer
service
o Alerts when API response time is outside normal parameters, indicating a
potential SLA breach
o Alerts when apps/users are throttled out for hitting the current subscription
tier - potential opportunity to proactively propose a tier upgrade or to adjust
SLAs
o Detect when APIs are not used as expected
o Identifies erratic behavior and supports capacity planning
o Alerts when a sudden spike/drop in the request count in a given duration for
an API resource – Possible indication of a system problem
o Determining trends in increased response times – Indication of potential
issues with APIs or backend system capacity

55. Why Real-time Analytics for APIs ?
o Blacklist & whitelist verifications in real time
o Detect trends
o Detect incoherencies in trends
o Detect API calls sequences that you don’t want to allow
o Detect non-usage scenarios ( raise alerts on poor usage of a
certain API)

56. Example – Real-time Fraud Detection

57. Log Analysis
o Log Analysis through reports on low-level system operations:
o Log events - Overall statistics of the types of log events created in a given
time period
o Application errors - Breakdown of error log events based on exception
category and error message
o Artifact deployment stats - Number of artifacts deployed in a given duration
o Login failures - No of failed login attempts in a given duration
o No of API failures
o Access token-related issues
o Ability to view live log events on per-tenant basis

58. CONTACT US !