Last Updated: Jan. 2014

VP Platform EvangelismChris Haddad

Six Tactics For Building Successful APIs

2

About the Presenter• VP Platform Evangelism

• F500/G2000 Advisor

• Cloudy DevOps for Dev guy

• API Strategy and SOA Roadmap consultant

• Architect

• SaaS and PaaS

• Service portfolio and infrastructure

• Java, .NET, JavaScript, Open Source

• Learn more about me

• Follow me @cobiacomm on Twitter

• Blog: http://blog.cobia.net/cobiacomm

• Decks: http://www.slideshare.net/cobiacomm/

• Profle: http://www.linkedin.com/in/cobiacomm/

• On Google+ too

What architecture goal-state is required?

http://edcforums.com/threads/the-atwood-collectors-thread-part-2.101226/page-5

Old IT Responsive IT

Engage your customers and partners

Mobility, Internet of Everything, and Ecosystem Business Models are Transforming The Web

APIs Fit Into A Bigger IT Picture

Connected Business Reference Architecture

Architecture Focus Areas

Integration

Expose Services as APIs

Big Data Streams and Analytics

Architecture Focus Areas

Identity and Entitlement Management

Cloud

AppDev

Developer StudioApp Factory

AS incl. Jaggery), UES, DSS,

Enterprise Service Bus Component Architecture

API-centric Focus

An API is a business capability delivered over the Internet to internal or external consumers

๏ Network accessible function

๏ Available using standard web protocols

๏ With well-defined interfaces

๏ Designed for access by third-parties

API-centric Focus

A Managed API is:

๏ Actively advertised and subscribe-able

๏ Available with SLAs

๏ Secured, authenticated, authorized and protected

๏ Monitored and monetized with analytics

14

API Centric Capabilities

API-centric Integration Capabilities๏ Expose APIs for public consumption

๏ Extend your business through APIs.

๏ API Branding

๏ Expose APIs for internal consumption

๏ Manage the APIs used in internal applications

๏ Detect Usage Patterns

๏ Internal Monetization

๏ Control Access to Cloud Services

๏ Manage and Secure access from internal applications to cloud services (SalesForce, Google Apps, etc.) and between cloud-to-cloud interactions

16

API Management Platform Capabilities๏ What the platform must do, at a minimum:๏ Users Management (self-sign up, profile management)

๏ API Publication / API Store

๏ API Security

๏ Statistics

๏ SLA control

๏ Throttling / Rate Limiting

๏ API Versioning

๏ Monetization/Billing

๏ and more !

๏ You could build all of this yourself, but...

Open API and Collaboration

Enterprise SOA and API Integration Platform: API-centric View

Six Steps๏ Define A Business Model

๏ Build a Managed API

๏ API Security

๏ Reconcile Services and APIs Creation, Lifecycle and Governance

๏ Enterprise Integration

๏ API Branding and API as a Product == Yields => Monetization

20

Define a Business Model

๏ What are the business goals ?

๏ Enable 3rd-party Mobile Apps development ?

๏ Increase brand recognition ?

๏ Open new revenue channels ?

๏ Define Monetization model

๏ Free ?

๏ Pay per usage ?

๏ Free APIs, but paid via Ads

21

Building a Managed API

๏ Creating APIs (interface, docs, samples,etc.)

๏ Advertising APIs

๏ Making APIs subscribe-able by consumers

๏ Associating SLAs

๏ Securing APIs

๏ Monetization and Analytics

22

๏ Service deals with implementation

๏ API deals with subscription (consumer)

๏ Two very distinct life cycles !

๏ You don’t need the service to create the API...

Services and APIs

23

API Versioning Strategies

๏ Version as a query parameter๏ Netflix - http://api.netflix.com/catalog/titles/series/70023522?v=1.5

๏ Google Data API - “GData-Version: X.0 or ″ “v=X.0″

๏ Version as part of URI๏ Salesforce - https://na1.salesforce.com/services/data/v20.0/sobjects/Account/

๏ Twitter - https://api.twitter.com/1.1/statuses/mentions_timeline.json

๏ Version as a date in URI๏ Twilio - /2010-04-01/Accounts/{AccountSid}/Calls

๏ http://www.twilio.com/docs/api/rest/making-calls

๏ Version as a ๏ Custom HTTP Header

๏ Accept Header

24

API Lifecycle

๏ An API can pass through multiple states

๏ For example:

๏ CREATED

๏ PUBLISHED

๏ DEPRECATED

๏ RETIRED

๏ BLOCKED

๏ Should integrate with complete governance lifecycle

25

API Security

๏ Security is not an after thought !

๏ APIs are part of a much larger enterprise picture

๏ How will consumers request an access token ?

๏ Using a SAML 2.0 assertion ?

๏ Using client_credentials ?

๏ Using userid/password ?

๏ Make sure you document thoroughly how developers need to manage tokens:

๏ Tokens are like passwords!

๏ Always use SSL for token transportation !

๏ Use Domain restrictions (WSO2 API Manager)

26

Fine-grained access to APIs

๏ OAuth2 is all about access control: a token is associated to a scope.

๏ XACML (eXtensible Access Control Markup Language) is the de-facto standard for fine-grained access control.

๏ OAuth scope can be represented in XACML policies

๏ Provides fine grain control over what a user/application can do ( i.e. you can call GET but not POST on an API)

27

Passing Auth Information to back-end services

๏ Using JSON Web Tokens (JWT)

๏ Lightweight

๏ Can be signed

๏ Easy to parse and consume

๏ Standard

28

Generic Facade Pattern

๏ Pros

๏ No additional hop in the network

๏ Single Server to be managed

๏ More suited for internal deployments

๏ Cons

๏ Complexity of integration at edge of network

๏ API Management layer can’t really scale independently

๏ Not appropriate for DMZ deployments (direct access to backend services)

29

Separated Facade & Mediation๏ API Gateway Layer acts as simple reverse proxy, enforcing basic policies

๏ Clear separation of concern between layers

๏ Mediation layer and API management layer scale independently

๏ Specific security checks/protection at edge of the network

๏ Provides protocol transformation to the edge of the network

30

Specific WSO2 Solution

๏ Our API gateway is actually a full-blown ESB under the hood, constrained at UI level.

๏ You can install the missing ESB features on top of API manager and combine both architecture layers into a single runtime!

๏ Makes the choice a deployment one.

API-centric Challenges, Requirements, Use Cases๏ Enterprise Integration

๏ Integrate with Enterprise Identity Management, Enterprise Security, and Enterprise Key Management Solution

๏ Integrate with monitoring and statistics dashboard

๏ Integrate with existing Service Gateways

๏ Best Practices

๏ Jump from internal services to external API – what practices are required?

๏ How does API governance reconcile with service governance?

32

Typical Deployment

33

You can’t manage what you can’t measure.

34

Why Analytics and API Management are important together?

๏ Build confidence in the API model

๏ Understand your customer ๏ Not just the developer but also the end-user

๏ Help manage services and versions๏ Understand when deprecated services can be retired

๏ Plan better๏ Monitor the growth of aggregated API traffic

๏ Monitor the growth of specific apps

๏ Even if you’re not going to put analytics in place, make sure you capture all events right from beginning of project.

Event Streams

35

Insight Architecture

36

Brands Enhance Revenue

Six Steps๏ Define A Business Model

๏ Build a Managed API

๏ API Security

๏ Reconcile Services and APIs Creation, Lifecycle and Governance

๏ Enterprise Integration

๏ API Branding and API as a Product == Yields => Monetization

39

Download API Manager today!

๏ http://wso2.com/products/api-manager/

Contact us !