SlideShare a Scribd company logo

Best Practices for API Management

WSO2
WSO2

Successful development and deployment best practices of WSO2 customers to secure, monitor, and manage APIs

TechnologyBusiness
1 of 39
Download to read offline
Last Updated: March 2014 Director,  Product  Management,  WSO2 Isabelle  Mauny Best  Prac1ces   for  API  Management Thursday, March 27, 14
About  the  speaker... ๏ French  na)ve ๏ Living  in  Spain ๏ Works  mostly  with  Sri  Lanka ๏ 18  years  of  IBM,  4  years  in  startups ๏ Managing  the  overall  WSO2  porDolio ๏ Linux  command  line  user 2 Thursday, March 27, 14
Who  is  WSO2  ?   ๏ Open  Source  Middleware   Pla2orm  Provider ๏ Apache  2.0  License ๏ Provides  Integra?on,  API   Management  and  Mobile   enterprise  management   products ๏ Main  contributor  to  Apache   Stratos  PaaS ๏ Creators  of  DevOps   “AppFactory”  cloud  solu?on 3 Thursday, March 27, 14
Business  Model 4 Thursday, March 27, 14
Define  a  Business  Model 5 ๏ What  are  the  business  goals  ?   ๏ Enable  3rd-­‐party  Mobile  Apps  development  ?   ๏ Increase  brand  recogni)on  ? ๏ Open  new  revenue  channels  ? ๏ Define  Mone)za)on  model   ๏ Free  ?   ๏ Pay  per  usage  ? ๏ Free  APIs,  but  paid  via  Ads Thursday, March 27, 14
Development 6 Thursday, March 27, 14
๏ Service  deals  with  implementa)on ๏ API  deals  with  subscrip)on  (consumer) ๏ Two  very  dis)nct  life  cycles  ! ๏ You  don’t  need  the  service  to  create  the  API... Services  and  APIs 7 Thursday, March 27, 14
Building  a  Managed  API ๏ Crea)ng  APIs  (interface,  docs,  samples,etc.) ๏ Adver)sing  APIs ๏ Making  APIs  subscribe-­‐able  by  consumers ๏ Associa)ng  SLAs ๏ Securing  APIs ๏ Mone)za)on  and  Analy)cs 8 Thursday, March 27, 14
API  Security 9 Thursday, March 27, 14
API  Security   ๏ Security  is  not  an  aYer  thought  !   ๏ APIs  are  part  of  a  much  larger  enterprise  picture ๏ How  will  consumers  request  an  access  token  ?   ๏ Using  a  SAML  2.0  asser)on  ?   ๏ Using  client_creden)als  ?   ๏ Using  userid/password  ?   ๏ Make  sure  you  document  thoroughly  how  developers   need  to  manage  tokens: ๏ Tokens  are  like  passwords! ๏ Always  use  SSL  for  token  transporta)on  ! ๏ Use  Domain  restric)ons  (WSO2  API  Manager) 10 Thursday, March 27, 14
Fine-­‐grained  access  to  APIs ๏ OAuth2  is  all  about  access  control:  a  token  is  associated  to  a  scope. ๏ XACML  (eXtensible  Access  Control  Markup  Language)  is  the  de-­‐ facto  standard  for  fine-­‐grained  access  control. ๏ OAuth  scope  can  be  represented  in  XACML  policies ๏ Provides  fine  grain  control  over  what  a  user/applica?on  can  do   (  i.e.  you  can  call  GET  but  not  POST  on  an  API)   11 Thursday, March 27, 14
Passing  Auth  Informa6on  to  back-­‐end  services ๏ Using  JSON  Web  Tokens  (JWT)   ๏ Lightweight ๏ Can  be  signed ๏ Easy  to  parse  and  consume ๏ Standard API Gateway API Management Layer Services Layer Internal and External Applications OAuth 2 Access Token JSON Web Token 12 Thursday, March 27, 14
Token  Format ๏ JWT  Structure   {token  info}.{claims  list}.{signature}   ๏ Base-­‐64  Encoded   13 Thursday, March 27, 14
What  are  Claims  ?   ๏ Claims  are  a  set  of   aTributes  about  a   user,  mapped  to  the   underlying  user   store. ๏ A  set  of  claims  is   called  a  dialect 14 Thursday, March 27, 14
Publishing 15 Thursday, March 27, 14
Choosing  an  API  Management  Pla=orm 16 ๏ What  the  pla2orm  must  do,  at  a  minimum: ๏ Users  Management  (self-­‐sign  up,  profile  management) ๏ API  Publica?on  /  API  Store ๏ API  Security ๏ Sta?s?cs ๏ SLA  control ๏ ThroTling  /  Rate  Limi?ng ๏ API  Versioning ๏ Mone?za?on/Billing ๏ and  more  ! ๏ You  could  build  all  of  this  yourself,  but... Thursday, March 27, 14
Need  for  API  Versioning ๏ Need  to  support  API  evolu)on ๏ While  Maintaining ๏ Backward  compa)bility  -­‐>  Func)onality ๏ Rates/Throhling  agreements ๏ Different  versioning  mechanisms 17 Thursday, March 27, 14
API  Versioning  Strategies ๏ Version  as  a  query  parameter ๏ Ne=lix  -­‐  hTp://api.ne2lix.com/catalog/?tles/series/70023522?v=1.5 ๏ Google  Data  API  -­‐  “GData-­‐Version:  X.0″₺  or  “v=X.0″₺ ๏ Version  as  part  of  URI ๏ Salesforce  -­‐  hTps://na1.salesforce.com/services/data/v20.0/sobjects/Account/ ๏ TwiDer  -­‐  hTps://api.twiTer.com/1.1/statuses/men?ons_?meline.json ๏ Version  as  a  date  in  URI ๏ Twilio  -­‐  /2010-­‐04-­‐01/Accounts/{AccountSid}/Calls ๏ hTp://www.twilio.com/docs/api/rest/making-­‐calls ๏ Version  as  a   ๏ Custom  HTTP  Header ๏ Accept  Header 18 Thursday, March 27, 14
API  Lifecycle ๏ An  API  can  pass  through  mul)ple  states ๏ For  example: ๏ CREATED ๏ PUBLISHED ๏ DEPRECATED ๏ RETIRED ๏ BLOCKED ๏ Should  integrate  with  complete  governance  lifecycle 19 Thursday, March 27, 14
Show  some  developer’s  love  :) 20 ๏ Docs  ,  docs  and  more  docs ๏ API  Samples,  in  many  languages ๏ Embedded  Tes)ng ๏ Provide  sandbox  and  produc)on  run)mes ๏ SDK   ๏ Wraps  API  access,  including  security Thursday, March 27, 14
Deployment 21 Thursday, March 27, 14
Gateway  vs.  ESB 22 ๏ Oh,  but  I  already  have  an  ESB  !  Why  do  I  need  a   gateway  ? ๏ API  Gateway  vs.  Media)on  Layer  (ESB) ๏ Gateway  =  light  ESB  ?   ๏ Think  ESB  as  an  architecture  pahern,  not  a  product! Thursday, March 27, 14
Generic  Facade  PaZern ๏ Pros ๏ No  addi)onal  hop  in  the  network ๏ Single  Server  to  be  managed ๏ More  suited  for  internal  deployments ๏ Cons ๏ Complexity  of  integra)on  at  edge  of  network ๏ API  Management  layer  can’t  really  scale  independently   ๏ Not  appropriate  for  DMZ  deployments  (direct  access  to  backend  services) 23 API Gateway API Management Layer Services Layer Internal and External Applications Thursday, March 27, 14
Separated  Facade  &  Mediaon ๏ API  Gateway  Layer  acts  as  simple  reverse  proxy,  enforcing  basic  policies ๏ Clear  separa?on  of  concern  between  layers ๏ Media?on  layer  and  API  management  layer  scale  independently ๏ Specific  security  checks/protec?on  at  edge  of  the  network ๏ Provides  protocol  transforma?on  to  the  edge  of  the  network 24 API Gateway API Management Layer Services Layer Internal and External Applications API Gateway API Management Layer Services LayerMediation Layer Services Composition Services Orchestration Thursday, March 27, 14
Specific  WSO2  Soluon ๏ Our  API  gateway  is  actually  a  full-­‐blown  ESB  under  the   hood,  constrained  at  UI  level.   ๏ You  can  install  the  missing  ESB  features  on  top  of  API   manager  and  combine  both  architecture  layers  into  a   single  run)me! ๏ Makes  the  choice  a  deployment  one. 25 Thursday, March 27, 14
Typical  Deployment 26 Web Tier BPS Server API GatewayLoad balancer API Gateway External APIs Tier Orchestration Layer External Web Application External Mobile Application Token Validation, Policy Decision Point, Users Store Management ESB Server Data Access Layer ESB BPM Data Services Server Identity Server Messaging Layer Message Broker Server API Gateway Load balancer API Gateway Internal APIs Tier Identity Server Thursday, March 27, 14
Users  Store ๏ Separate  admins  /  corporate  users  from  the  developers   users’s  store  (created  via  self-­‐sign  up) 27 Thursday, March 27, 14
You  can’t  manage   what  you  can’t  measure. 28 Thursday, March 27, 14
Why  Analy6cs  and  API  Management  are  important  together? ๏ Build  confidence  in  the  API  model ๏ Understand  your  customer   ๏ Not  just  the  developer  but  also  the  end-­‐user ๏ Help  manage  services  and  versions ๏ Understand  when  deprecated  services  can  be  re?red ๏ Plan  beTer ๏ Monitor  the  growth  of  aggregated  API  traffic ๏ Monitor  the  growth  of  specific  apps ๏ Even  if  you’re  not  going  to  put  analy?cs  in  place,  make  sure   you  capture  all  events  right  from  beginning  of  project. 29 Thursday, March 27, 14
Analycs  101:  Aggregaon • How  to  collect  data   efficiently • How  to  store  data   effec)vely • Choose  which  data  to   capture 30 Thursday, March 27, 14
Analycs  101  :  Analysis • Data  opera)ons • Defining  KPIs  and  analy)cs • Opera)ng  on  large  amounts   of  historical  or  current  data • Crea)ng  intelligence   31 Thursday, March 27, 14
Analycs  101  :  Presentaon • Visualiza)on • Dashboards • Reports 32 Thursday, March 27, 14
Events Collector EVENTS DATASTORE 3rd party Products WRITES EVENTS Report Generator CEP Engine FEEDS EVENTS GENERATE NEW EVENTS Analytics Engine Real Time Decision Engine DEPLOYS LOGIC ANALYTICS DATASTORE User Engagement Server 33 Monitor  And  Analyze ๏ Take  decisions  in  real  ?me  through  Complex  Event  Processing ๏ Create  dashboards  for  both  technical  and  business  monitoring Thursday, March 27, 14
Detecng  Usage  PaZerns ๏ My  API  customer  is  trying  to  steal  my  business  :  let’s   block  them. ๏ A  customer  is  at  80%  of  API  plan  :  let’s  warn  them   ๏ A  customer  is  systema)cally  at  120%  of  the  plan  :   propose  an  upgrade  to  the  premium  plan 34 Thursday, March 27, 14
Demo 35 Thursday, March 27, 14
Demo  Setup 36 Web Tier API Gateway APIs tier Mediation Layer External Web Application Token Validation, Policy Decision Point, IdentityProvider, Users Store Manager ESB Server Services Layer ESB Application Server Messaging Layer Message Broker Server Identity Server Reporting, Logging, Operational Analysis BAM CEP Thursday, March 27, 14
References ๏ Building  an  ecosystem  for  API  Security  (White  Paper) ๏ hhp://wso2.com/whitepapers/wso2-­‐whitepaper-­‐building-­‐an-­‐ecosystem-­‐for-­‐api-­‐ security/ ๏ API  Facade  Pahern  (Webinar) ๏ hhp://wso2.com/library/webinars/2014/01/implemen)ng-­‐api-­‐facade-­‐using-­‐ wso2-­‐api-­‐management-­‐plaDorm/ ๏ API  Management:  missing  link  for  SOA   ๏ hhp://sanjiva.weerawarana.org/2012/08/api-­‐management-­‐missing-­‐link-­‐for-­‐ soa.html ๏ Promo)ng  Service  Reuse   ๏ hhp://wso2.com/whitepapers/promo)ng-­‐service-­‐reuse-­‐within-­‐your-­‐enterprise-­‐ and-­‐maximizing-­‐soa-­‐success/ 37 Thursday, March 27, 14
Download  API  Manager  today! ๏ hhp://wso2.com/products/api-­‐manager/ 38 Thursday, March 27, 14
Contact  us  ! Thursday, March 27, 14

Recommended

RefCard API Architecture Strategy
RefCard API Architecture StrategyRefCard API Architecture Strategy
RefCard API Architecture Strategy
OCTO Technology
 
WSO2 API Platform: Vision and Roadmap
WSO2 API Platform: Vision and RoadmapWSO2 API Platform: Vision and Roadmap
WSO2 API Platform: Vision and Roadmap
WSO2
 
API Management in Digital Transformation
API Management in Digital TransformationAPI Management in Digital Transformation
API Management in Digital Transformation
Aditya Thatte
 
Api management best practices with wso2 api manager
Api management best practices with wso2 api managerApi management best practices with wso2 api manager
Api management best practices with wso2 api manager
Chanaka Fernando
 
Highlights of WSO2 API Manager 4.0.0
Highlights of WSO2 API Manager 4.0.0Highlights of WSO2 API Manager 4.0.0
Highlights of WSO2 API Manager 4.0.0
WSO2
 
Architecting an Enterprise API Management Strategy
Architecting an Enterprise API Management StrategyArchitecting an Enterprise API Management Strategy
Architecting an Enterprise API Management Strategy
WSO2
 
API Management Within a Microservices Architecture
API Management Within a Microservices Architecture API Management Within a Microservices Architecture
API Management Within a Microservices Architecture
Nadeesha Gamage
 
API-first design - Basis for an consistent API-Management approach
API-first design - Basis for an consistent API-Management approachAPI-first design - Basis for an consistent API-Management approach
API-first design - Basis for an consistent API-Management approach
Sven Bernhardt
 

Recommended

RefCard API Architecture Strategy
RefCard API Architecture StrategyRefCard API Architecture Strategy
RefCard API Architecture Strategy
OCTO Technology
 
WSO2 API Platform: Vision and Roadmap
WSO2 API Platform: Vision and RoadmapWSO2 API Platform: Vision and Roadmap
WSO2 API Platform: Vision and Roadmap
WSO2
 
API Management in Digital Transformation
API Management in Digital TransformationAPI Management in Digital Transformation
API Management in Digital Transformation
Aditya Thatte
 
Api management best practices with wso2 api manager
Api management best practices with wso2 api managerApi management best practices with wso2 api manager
Api management best practices with wso2 api manager
Chanaka Fernando
 
Highlights of WSO2 API Manager 4.0.0
Highlights of WSO2 API Manager 4.0.0Highlights of WSO2 API Manager 4.0.0
Highlights of WSO2 API Manager 4.0.0
WSO2
 
Architecting an Enterprise API Management Strategy
Architecting an Enterprise API Management StrategyArchitecting an Enterprise API Management Strategy
Architecting an Enterprise API Management Strategy
WSO2
 
API Management Within a Microservices Architecture
API Management Within a Microservices Architecture API Management Within a Microservices Architecture
API Management Within a Microservices Architecture
Nadeesha Gamage
 
API-first design - Basis for an consistent API-Management approach
API-first design - Basis for an consistent API-Management approachAPI-first design - Basis for an consistent API-Management approach
API-first design - Basis for an consistent API-Management approach
Sven Bernhardt
 
[WSO2 Summit EMEA 2020] Building an Interactive API Marketplace
[WSO2 Summit EMEA 2020] Building an Interactive API Marketplace[WSO2 Summit EMEA 2020] Building an Interactive API Marketplace
[WSO2 Summit EMEA 2020] Building an Interactive API Marketplace
WSO2
 
API Management within a Microservice Architecture
API Management within a Microservice ArchitectureAPI Management within a Microservice Architecture
API Management within a Microservice Architecture
WSO2
 
WSO2 API Manager 2.0 - Overview
WSO2 API Manager 2.0 - Overview WSO2 API Manager 2.0 - Overview
WSO2 API Manager 2.0 - Overview
Edgar Silva
 
API Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway PatternAPI Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway Pattern
VMware Tanzu
 
Mastering System Resiliency with AIOps
Mastering System Resiliency with AIOpsMastering System Resiliency with AIOps
Mastering System Resiliency with AIOps
Peterson Technology Partners
 
API Business Models
API Business ModelsAPI Business Models
API Business Models
John Musser
 
Apigee Edge Overview and Roadmap
Apigee Edge Overview and RoadmapApigee Edge Overview and Roadmap
Apigee Edge Overview and Roadmap
Apigee | Google Cloud
 
API Governance
API Governance API Governance
API Governance
Sunil Kuchipudi
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
Prabath Siriwardena
 
Why API Ops is the Next Wave of DevOps
Why API Ops is the Next Wave of DevOpsWhy API Ops is the Next Wave of DevOps
Why API Ops is the Next Wave of DevOps
John Musser
 
The Complete Guide to Service Mesh
The Complete Guide to Service MeshThe Complete Guide to Service Mesh
The Complete Guide to Service Mesh
Aspen Mesh
 
How Secure Are Your APIs?
How Secure Are Your APIs?How Secure Are Your APIs?
How Secure Are Your APIs?
Apigee | Google Cloud
 
How to Move from Monitoring to Observability, On-Premises and in a Multi-Clou...
How to Move from Monitoring to Observability, On-Premises and in a Multi-Clou...How to Move from Monitoring to Observability, On-Premises and in a Multi-Clou...
How to Move from Monitoring to Observability, On-Premises and in a Multi-Clou...
Splunk
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security Lifecycle
Apigee | Google Cloud
 
OpenTelemetry 101 FTW
OpenTelemetry 101 FTWOpenTelemetry 101 FTW
OpenTelemetry 101 FTW
NGINX, Inc.
 
Cloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust VisibilityCloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust Visibility
Raphaël PINSON
 
OpenTelemetry For Developers
OpenTelemetry For DevelopersOpenTelemetry For Developers
OpenTelemetry For Developers
Kevin Brockhoff
 
API Governance in the Enterprise
API Governance in the EnterpriseAPI Governance in the Enterprise
API Governance in the Enterprise
Apigee | Google Cloud
 
Building APIs with Mule and Spring Boot
Building APIs with Mule and Spring BootBuilding APIs with Mule and Spring Boot
Building APIs with Mule and Spring Boot
Guilherme Pereira Silva
 
GuardDuty Hands-on Lab
GuardDuty Hands-on LabGuardDuty Hands-on Lab
GuardDuty Hands-on Lab
Amazon Web Services
 
Lessons from the Trenches: Building an API-Centric Architecture
Lessons from the Trenches: Building an API-Centric ArchitectureLessons from the Trenches: Building an API-Centric Architecture
Lessons from the Trenches: Building an API-Centric Architecture
WSO2
 
Six Steps To Build A Successful API
Six Steps To Build A Successful APISix Steps To Build A Successful API
Six Steps To Build A Successful API
Chris Haddad
 

More Related Content

What's hot

[WSO2 Summit EMEA 2020] Building an Interactive API Marketplace
[WSO2 Summit EMEA 2020] Building an Interactive API Marketplace[WSO2 Summit EMEA 2020] Building an Interactive API Marketplace
[WSO2 Summit EMEA 2020] Building an Interactive API Marketplace
WSO2
 
Cloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust VisibilityCloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust Visibility
Raphaël PINSON
 

What's hot (20)

[WSO2 Summit EMEA 2020] Building an Interactive API Marketplace
[WSO2 Summit EMEA 2020] Building an Interactive API Marketplace[WSO2 Summit EMEA 2020] Building an Interactive API Marketplace
[WSO2 Summit EMEA 2020] Building an Interactive API Marketplace
 
API Management within a Microservice Architecture
API Management within a Microservice ArchitectureAPI Management within a Microservice Architecture
API Management within a Microservice Architecture
 
WSO2 API Manager 2.0 - Overview
WSO2 API Manager 2.0 - Overview WSO2 API Manager 2.0 - Overview
WSO2 API Manager 2.0 - Overview
 
API Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway PatternAPI Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway Pattern
 
Mastering System Resiliency with AIOps
Mastering System Resiliency with AIOpsMastering System Resiliency with AIOps
Mastering System Resiliency with AIOps
 
API Business Models
API Business ModelsAPI Business Models
API Business Models
 
Apigee Edge Overview and Roadmap
Apigee Edge Overview and RoadmapApigee Edge Overview and Roadmap
Apigee Edge Overview and Roadmap
 
API Governance
API Governance API Governance
API Governance
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
 
Why API Ops is the Next Wave of DevOps
Why API Ops is the Next Wave of DevOpsWhy API Ops is the Next Wave of DevOps
Why API Ops is the Next Wave of DevOps
 
The Complete Guide to Service Mesh
The Complete Guide to Service MeshThe Complete Guide to Service Mesh
The Complete Guide to Service Mesh
 
How Secure Are Your APIs?
How Secure Are Your APIs?How Secure Are Your APIs?
How Secure Are Your APIs?
 
How to Move from Monitoring to Observability, On-Premises and in a Multi-Clou...
How to Move from Monitoring to Observability, On-Premises and in a Multi-Clou...How to Move from Monitoring to Observability, On-Premises and in a Multi-Clou...
How to Move from Monitoring to Observability, On-Premises and in a Multi-Clou...
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security Lifecycle
 
OpenTelemetry 101 FTW
OpenTelemetry 101 FTWOpenTelemetry 101 FTW
OpenTelemetry 101 FTW
 
Cloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust VisibilityCloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust Visibility
 
OpenTelemetry For Developers
OpenTelemetry For DevelopersOpenTelemetry For Developers
OpenTelemetry For Developers
 
API Governance in the Enterprise
API Governance in the EnterpriseAPI Governance in the Enterprise
API Governance in the Enterprise
 
Building APIs with Mule and Spring Boot
Building APIs with Mule and Spring BootBuilding APIs with Mule and Spring Boot
Building APIs with Mule and Spring Boot
 
GuardDuty Hands-on Lab
GuardDuty Hands-on LabGuardDuty Hands-on Lab
GuardDuty Hands-on Lab
 

Similar to Best Practices for API Management

Six Steps To Build A Successful API
Six Steps To Build A Successful APISix Steps To Build A Successful API
Six Steps To Build A Successful API
Chris Haddad
 
Runtime Governance with WSO2 Governance Registry integrated with WSO2 BAM and...
Runtime Governance with WSO2 Governance Registry integrated with WSO2 BAM and...Runtime Governance with WSO2 Governance Registry integrated with WSO2 BAM and...
Runtime Governance with WSO2 Governance Registry integrated with WSO2 BAM and...
WSO2
 
Getting Started with API Management
Getting Started with API ManagementGetting Started with API Management
Getting Started with API Management
Revelation Technologies
 

Similar to Best Practices for API Management (20)

Lessons from the Trenches: Building an API-Centric Architecture
Lessons from the Trenches: Building an API-Centric ArchitectureLessons from the Trenches: Building an API-Centric Architecture
Lessons from the Trenches: Building an API-Centric Architecture
 
Six Steps To Build A Successful API
Six Steps To Build A Successful APISix Steps To Build A Successful API
Six Steps To Build A Successful API
 
Six Steps to Build Successful APIs
Six Steps to Build Successful APIsSix Steps to Build Successful APIs
Six Steps to Build Successful APIs
 
Oracle API Platform Cloud Service Best Practices & Lessons Learnt
Oracle API Platform Cloud Service Best Practices & Lessons LearntOracle API Platform Cloud Service Best Practices & Lessons Learnt
Oracle API Platform Cloud Service Best Practices & Lessons Learnt
 
API, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceAPI, Integration, and SOA Convergence
API, Integration, and SOA Convergence
 
Open APIs Design
Open APIs DesignOpen APIs Design
Open APIs Design
 
Melbourne Virtual MuleSoft Meetup June 2022
Melbourne Virtual MuleSoft Meetup June 2022Melbourne Virtual MuleSoft Meetup June 2022
Melbourne Virtual MuleSoft Meetup June 2022
 
A Connector, A Container and an API Walk into a Bar… Microservices Edition
A Connector, A Container and an API Walk into a Bar… Microservices EditionA Connector, A Container and an API Walk into a Bar… Microservices Edition
A Connector, A Container and an API Walk into a Bar… Microservices Edition
 
A Connector, A Container and an API Walk into a Bar… Microservices Edition
A Connector, A Container and an API Walk into a Bar… Microservices EditionA Connector, A Container and an API Walk into a Bar… Microservices Edition
A Connector, A Container and an API Walk into a Bar… Microservices Edition
 
MuleSoft Surat Meetup#39 - Pragmatic API Led Connectivity
MuleSoft Surat Meetup#39 - Pragmatic API Led ConnectivityMuleSoft Surat Meetup#39 - Pragmatic API Led Connectivity
MuleSoft Surat Meetup#39 - Pragmatic API Led Connectivity
 
Runtime Governance with WSO2 Governance Registry integrated with WSO2 BAM and...
Runtime Governance with WSO2 Governance Registry integrated with WSO2 BAM and...Runtime Governance with WSO2 Governance Registry integrated with WSO2 BAM and...
Runtime Governance with WSO2 Governance Registry integrated with WSO2 BAM and...
 
Top 7 wrong common beliefs about Enterprise API implementation
Top 7 wrong common beliefs about Enterprise API implementationTop 7 wrong common beliefs about Enterprise API implementation
Top 7 wrong common beliefs about Enterprise API implementation
 
Octo API-days 2015
Octo API-days 2015Octo API-days 2015
Octo API-days 2015
 
The B2B Perspective :: APIs and Services for Fleet Management
The B2B Perspective :: APIs and Services for Fleet ManagementThe B2B Perspective :: APIs and Services for Fleet Management
The B2B Perspective :: APIs and Services for Fleet Management
 
Sustainability Challenge, Postman, Rest sheet and Anypoint provider : MuleSof...
Sustainability Challenge, Postman, Rest sheet and Anypoint provider : MuleSof...Sustainability Challenge, Postman, Rest sheet and Anypoint provider : MuleSof...
Sustainability Challenge, Postman, Rest sheet and Anypoint provider : MuleSof...
 
Melbourne Virtual MuleSoft Meetup November 2020
Melbourne Virtual MuleSoft Meetup November 2020Melbourne Virtual MuleSoft Meetup November 2020
Melbourne Virtual MuleSoft Meetup November 2020
 
Sharing Best Practices and Recommendations from the Integration Battlefield
Sharing Best Practices and Recommendations from the Integration BattlefieldSharing Best Practices and Recommendations from the Integration Battlefield
Sharing Best Practices and Recommendations from the Integration Battlefield
 
Microservices & anypoint service mesh calgary mule soft meetup
Microservices & anypoint service mesh calgary mule soft meetupMicroservices & anypoint service mesh calgary mule soft meetup
Microservices & anypoint service mesh calgary mule soft meetup
 
Getting Started with API Management
Getting Started with API ManagementGetting Started with API Management
Getting Started with API Management
 
MuleSoft Madrid Meetup #3 slides 2nd July 2020
MuleSoft Madrid Meetup #3 slides 2nd July 2020MuleSoft Madrid Meetup #3 slides 2nd July 2020
MuleSoft Madrid Meetup #3 slides 2nd July 2020
 

More from WSO2

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
WSO2
 
[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in Minutes[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in Minutes
WSO2
 
Modernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos IdentityModernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos Identity
WSO2
 
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
WSO2
 
CIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdfCIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdf
WSO2
 
Delivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing ChoreoDelivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing Choreo
WSO2
 
Fueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected ProductsFueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected Products
WSO2
 
A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital Businesses A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital Businesses
WSO2
 
[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs
WSO2
 

More from WSO2 (20)

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
How to Create a Service in Choreo
How to Create a Service in ChoreoHow to Create a Service in Choreo
How to Create a Service in Choreo
 
Ballerina Tech Talk - May 2023
Ballerina Tech Talk - May 2023Ballerina Tech Talk - May 2023
Ballerina Tech Talk - May 2023
 
Platform Strategy to Deliver Digital Experiences on Azure
Platform Strategy to Deliver Digital Experiences on AzurePlatform Strategy to Deliver Digital Experiences on Azure
Platform Strategy to Deliver Digital Experiences on Azure
 
GartnerITSymSessionSlides.pdf
GartnerITSymSessionSlides.pdfGartnerITSymSessionSlides.pdf
GartnerITSymSessionSlides.pdf
 
[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in Minutes[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in Minutes
 
Modernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos IdentityModernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos Identity
 
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
 
CIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdfCIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdf
 
Delivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing ChoreoDelivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing Choreo
 
Fueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected ProductsFueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected Products
 
A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital Businesses A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital Businesses
 
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
 
Lessons from the pandemic - From a single use case to true transformation
Lessons from the pandemic - From a single use case to true transformation Lessons from the pandemic - From a single use case to true transformation
Lessons from the pandemic - From a single use case to true transformation
 
Adding Liveliness to Banking Experiences
Adding Liveliness to Banking ExperiencesAdding Liveliness to Banking Experiences
Adding Liveliness to Banking Experiences
 
Building a Future-ready Bank
Building a Future-ready BankBuilding a Future-ready Bank
Building a Future-ready Bank
 
WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021
 
[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs
 
[API World 2021 ] - Understanding Cloud Native Deployment
[API World 2021 ] - Understanding Cloud Native Deployment[API World 2021 ] - Understanding Cloud Native Deployment
[API World 2021 ] - Understanding Cloud Native Deployment
 

Recently uploaded

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Recently uploaded (20)

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Best Practices for API Management

  • 1. Last Updated: March 2014 Director,  Product  Management,  WSO2 Isabelle  Mauny Best  Prac1ces   for  API  Management Thursday, March 27, 14
  • 2. About  the  speaker... ๏ French  na)ve ๏ Living  in  Spain ๏ Works  mostly  with  Sri  Lanka ๏ 18  years  of  IBM,  4  years  in  startups ๏ Managing  the  overall  WSO2  porDolio ๏ Linux  command  line  user 2 Thursday, March 27, 14
  • 3. Who  is  WSO2  ?   ๏ Open  Source  Middleware   Pla2orm  Provider ๏ Apache  2.0  License ๏ Provides  Integra?on,  API   Management  and  Mobile   enterprise  management   products ๏ Main  contributor  to  Apache   Stratos  PaaS ๏ Creators  of  DevOps   “AppFactory”  cloud  solu?on 3 Thursday, March 27, 14
  • 5. Define  a  Business  Model 5 ๏ What  are  the  business  goals  ?   ๏ Enable  3rd-­‐party  Mobile  Apps  development  ?   ๏ Increase  brand  recogni)on  ? ๏ Open  new  revenue  channels  ? ๏ Define  Mone)za)on  model   ๏ Free  ?   ๏ Pay  per  usage  ? ๏ Free  APIs,  but  paid  via  Ads Thursday, March 27, 14
  • 7. ๏ Service  deals  with  implementa)on ๏ API  deals  with  subscrip)on  (consumer) ๏ Two  very  dis)nct  life  cycles  ! ๏ You  don’t  need  the  service  to  create  the  API... Services  and  APIs 7 Thursday, March 27, 14
  • 8. Building  a  Managed  API ๏ Crea)ng  APIs  (interface,  docs,  samples,etc.) ๏ Adver)sing  APIs ๏ Making  APIs  subscribe-­‐able  by  consumers ๏ Associa)ng  SLAs ๏ Securing  APIs ๏ Mone)za)on  and  Analy)cs 8 Thursday, March 27, 14
  • 10. API  Security   ๏ Security  is  not  an  aYer  thought  !   ๏ APIs  are  part  of  a  much  larger  enterprise  picture ๏ How  will  consumers  request  an  access  token  ?   ๏ Using  a  SAML  2.0  asser)on  ?   ๏ Using  client_creden)als  ?   ๏ Using  userid/password  ?   ๏ Make  sure  you  document  thoroughly  how  developers   need  to  manage  tokens: ๏ Tokens  are  like  passwords! ๏ Always  use  SSL  for  token  transporta)on  ! ๏ Use  Domain  restric)ons  (WSO2  API  Manager) 10 Thursday, March 27, 14
  • 11. Fine-­‐grained  access  to  APIs ๏ OAuth2  is  all  about  access  control:  a  token  is  associated  to  a  scope. ๏ XACML  (eXtensible  Access  Control  Markup  Language)  is  the  de-­‐ facto  standard  for  fine-­‐grained  access  control. ๏ OAuth  scope  can  be  represented  in  XACML  policies ๏ Provides  fine  grain  control  over  what  a  user/applica?on  can  do   (  i.e.  you  can  call  GET  but  not  POST  on  an  API)   11 Thursday, March 27, 14
  • 12. Passing  Auth  Informa6on  to  back-­‐end  services ๏ Using  JSON  Web  Tokens  (JWT)   ๏ Lightweight ๏ Can  be  signed ๏ Easy  to  parse  and  consume ๏ Standard API Gateway API Management Layer Services Layer Internal and External Applications OAuth 2 Access Token JSON Web Token 12 Thursday, March 27, 14
  • 13. Token  Format ๏ JWT  Structure   {token  info}.{claims  list}.{signature}   ๏ Base-­‐64  Encoded   13 Thursday, March 27, 14
  • 14. What  are  Claims  ?   ๏ Claims  are  a  set  of   aTributes  about  a   user,  mapped  to  the   underlying  user   store. ๏ A  set  of  claims  is   called  a  dialect 14 Thursday, March 27, 14
  • 16. Choosing  an  API  Management  Pla=orm 16 ๏ What  the  pla2orm  must  do,  at  a  minimum: ๏ Users  Management  (self-­‐sign  up,  profile  management) ๏ API  Publica?on  /  API  Store ๏ API  Security ๏ Sta?s?cs ๏ SLA  control ๏ ThroTling  /  Rate  Limi?ng ๏ API  Versioning ๏ Mone?za?on/Billing ๏ and  more  ! ๏ You  could  build  all  of  this  yourself,  but... Thursday, March 27, 14
  • 17. Need  for  API  Versioning ๏ Need  to  support  API  evolu)on ๏ While  Maintaining ๏ Backward  compa)bility  -­‐>  Func)onality ๏ Rates/Throhling  agreements ๏ Different  versioning  mechanisms 17 Thursday, March 27, 14
  • 18. API  Versioning  Strategies ๏ Version  as  a  query  parameter ๏ Ne=lix  -­‐  hTp://api.ne2lix.com/catalog/?tles/series/70023522?v=1.5 ๏ Google  Data  API  -­‐  “GData-­‐Version:  X.0″₺  or  “v=X.0″₺ ๏ Version  as  part  of  URI ๏ Salesforce  -­‐  hTps://na1.salesforce.com/services/data/v20.0/sobjects/Account/ ๏ TwiDer  -­‐  hTps://api.twiTer.com/1.1/statuses/men?ons_?meline.json ๏ Version  as  a  date  in  URI ๏ Twilio  -­‐  /2010-­‐04-­‐01/Accounts/{AccountSid}/Calls ๏ hTp://www.twilio.com/docs/api/rest/making-­‐calls ๏ Version  as  a   ๏ Custom  HTTP  Header ๏ Accept  Header 18 Thursday, March 27, 14
  • 19. API  Lifecycle ๏ An  API  can  pass  through  mul)ple  states ๏ For  example: ๏ CREATED ๏ PUBLISHED ๏ DEPRECATED ๏ RETIRED ๏ BLOCKED ๏ Should  integrate  with  complete  governance  lifecycle 19 Thursday, March 27, 14
  • 20. Show  some  developer’s  love  :) 20 ๏ Docs  ,  docs  and  more  docs ๏ API  Samples,  in  many  languages ๏ Embedded  Tes)ng ๏ Provide  sandbox  and  produc)on  run)mes ๏ SDK   ๏ Wraps  API  access,  including  security Thursday, March 27, 14
  • 22. Gateway  vs.  ESB 22 ๏ Oh,  but  I  already  have  an  ESB  !  Why  do  I  need  a   gateway  ? ๏ API  Gateway  vs.  Media)on  Layer  (ESB) ๏ Gateway  =  light  ESB  ?   ๏ Think  ESB  as  an  architecture  pahern,  not  a  product! Thursday, March 27, 14
  • 23. Generic  Facade  PaZern ๏ Pros ๏ No  addi)onal  hop  in  the  network ๏ Single  Server  to  be  managed ๏ More  suited  for  internal  deployments ๏ Cons ๏ Complexity  of  integra)on  at  edge  of  network ๏ API  Management  layer  can’t  really  scale  independently   ๏ Not  appropriate  for  DMZ  deployments  (direct  access  to  backend  services) 23 API Gateway API Management Layer Services Layer Internal and External Applications Thursday, March 27, 14
  • 24. Separated  Facade  &  Mediaon ๏ API  Gateway  Layer  acts  as  simple  reverse  proxy,  enforcing  basic  policies ๏ Clear  separa?on  of  concern  between  layers ๏ Media?on  layer  and  API  management  layer  scale  independently ๏ Specific  security  checks/protec?on  at  edge  of  the  network ๏ Provides  protocol  transforma?on  to  the  edge  of  the  network 24 API Gateway API Management Layer Services Layer Internal and External Applications API Gateway API Management Layer Services LayerMediation Layer Services Composition Services Orchestration Thursday, March 27, 14
  • 25. Specific  WSO2  Soluon ๏ Our  API  gateway  is  actually  a  full-­‐blown  ESB  under  the   hood,  constrained  at  UI  level.   ๏ You  can  install  the  missing  ESB  features  on  top  of  API   manager  and  combine  both  architecture  layers  into  a   single  run)me! ๏ Makes  the  choice  a  deployment  one. 25 Thursday, March 27, 14
  • 26. Typical  Deployment 26 Web Tier BPS Server API GatewayLoad balancer API Gateway External APIs Tier Orchestration Layer External Web Application External Mobile Application Token Validation, Policy Decision Point, Users Store Management ESB Server Data Access Layer ESB BPM Data Services Server Identity Server Messaging Layer Message Broker Server API Gateway Load balancer API Gateway Internal APIs Tier Identity Server Thursday, March 27, 14
  • 27. Users  Store ๏ Separate  admins  /  corporate  users  from  the  developers   users’s  store  (created  via  self-­‐sign  up) 27 Thursday, March 27, 14
  • 28. You  can’t  manage   what  you  can’t  measure. 28 Thursday, March 27, 14
  • 29. Why  Analy6cs  and  API  Management  are  important  together? ๏ Build  confidence  in  the  API  model ๏ Understand  your  customer   ๏ Not  just  the  developer  but  also  the  end-­‐user ๏ Help  manage  services  and  versions ๏ Understand  when  deprecated  services  can  be  re?red ๏ Plan  beTer ๏ Monitor  the  growth  of  aggregated  API  traffic ๏ Monitor  the  growth  of  specific  apps ๏ Even  if  you’re  not  going  to  put  analy?cs  in  place,  make  sure   you  capture  all  events  right  from  beginning  of  project. 29 Thursday, March 27, 14
  • 30. Analycs  101:  Aggregaon • How  to  collect  data   efficiently • How  to  store  data   effec)vely • Choose  which  data  to   capture 30 Thursday, March 27, 14
  • 31. Analycs  101  :  Analysis • Data  opera)ons • Defining  KPIs  and  analy)cs • Opera)ng  on  large  amounts   of  historical  or  current  data • Crea)ng  intelligence   31 Thursday, March 27, 14
  • 32. Analycs  101  :  Presentaon • Visualiza)on • Dashboards • Reports 32 Thursday, March 27, 14
  • 33. Events Collector EVENTS DATASTORE 3rd party Products WRITES EVENTS Report Generator CEP Engine FEEDS EVENTS GENERATE NEW EVENTS Analytics Engine Real Time Decision Engine DEPLOYS LOGIC ANALYTICS DATASTORE User Engagement Server 33 Monitor  And  Analyze ๏ Take  decisions  in  real  ?me  through  Complex  Event  Processing ๏ Create  dashboards  for  both  technical  and  business  monitoring Thursday, March 27, 14
  • 34. Detecng  Usage  PaZerns ๏ My  API  customer  is  trying  to  steal  my  business  :  let’s   block  them. ๏ A  customer  is  at  80%  of  API  plan  :  let’s  warn  them   ๏ A  customer  is  systema)cally  at  120%  of  the  plan  :   propose  an  upgrade  to  the  premium  plan 34 Thursday, March 27, 14
  • 36. Demo  Setup 36 Web Tier API Gateway APIs tier Mediation Layer External Web Application Token Validation, Policy Decision Point, IdentityProvider, Users Store Manager ESB Server Services Layer ESB Application Server Messaging Layer Message Broker Server Identity Server Reporting, Logging, Operational Analysis BAM CEP Thursday, March 27, 14
  • 37. References ๏ Building  an  ecosystem  for  API  Security  (White  Paper) ๏ hhp://wso2.com/whitepapers/wso2-­‐whitepaper-­‐building-­‐an-­‐ecosystem-­‐for-­‐api-­‐ security/ ๏ API  Facade  Pahern  (Webinar) ๏ hhp://wso2.com/library/webinars/2014/01/implemen)ng-­‐api-­‐facade-­‐using-­‐ wso2-­‐api-­‐management-­‐plaDorm/ ๏ API  Management:  missing  link  for  SOA   ๏ hhp://sanjiva.weerawarana.org/2012/08/api-­‐management-­‐missing-­‐link-­‐for-­‐ soa.html ๏ Promo)ng  Service  Reuse   ๏ hhp://wso2.com/whitepapers/promo)ng-­‐service-­‐reuse-­‐within-­‐your-­‐enterprise-­‐ and-­‐maximizing-­‐soa-­‐success/ 37 Thursday, March 27, 14
  • 38. Download  API  Manager  today! ๏ hhp://wso2.com/products/api-­‐manager/ 38 Thursday, March 27, 14