six steps to build successful apis
DESCRIPTION
Chris and Sumedha co-hosted a workshop at the API Strategy & Practice Conference Chicago where participants learned how to make tactical design decisions that expand internal and external API community, reliably connect back-end Cloud services, rapidly publish data as APIs, secure API interactions, and synchronize lifecycle activities. The session included the building of a few live APIs in the Cloud.TRANSCRIPT
Last Updated: Jan. 2014
VP Platform EvangelismChris Haddad
Six Tactics For Building Successful APIs
2
About the Presenter• VP Platform Evangelism
• F500/G2000 Advisor
• Cloudy DevOps for Dev guy
• API Strategy and SOA Roadmap consultant
• Architect
• SaaS and PaaS
• Service portfolio and infrastructure
• Java, .NET, JavaScript, Open Source
• Learn more about me
• Follow me @cobiacomm on Twitter
• Blog: http://blog.cobia.net/cobiacomm
• Decks: http://www.slideshare.net/cobiacomm/
• Profle: http://www.linkedin.com/in/cobiacomm/
• On Google+ too
What architecture goal-state is required?
http://edcforums.com/threads/the-atwood-collectors-thread-part-2.101226/page-5
Old IT Responsive IT
Engage your customers and partners
Mobility, Internet of Everything, and Ecosystem Business Models are Transforming The Web
APIs Fit Into A Bigger IT Picture
Connected Business Reference Architecture
Architecture Focus Areas
Integration
Expose Services as APIs
Big Data Streams and Analytics
Architecture Focus Areas
Identity and Entitlement Management
Cloud
AppDev
Developer StudioApp Factory
AS incl. Jaggery), UES, DSS,
Enterprise Service Bus Component Architecture
API-centric Focus
An API is a business capability delivered over the Internet to internal or external consumers
๏ Network accessible function
๏ Available using standard web protocols
๏ With well-defined interfaces
๏ Designed for access by third-parties
API-centric Focus
A Managed API is:
๏ Actively advertised and subscribe-able
๏ Available with SLAs
๏ Secured, authenticated, authorized and protected
๏ Monitored and monetized with analytics
14
API Centric Capabilities
API-centric Integration Capabilities
๏ Expose APIs for public consumption
๏ Extend your business through APIs.
๏ API Branding
๏ Expose APIs for internal consumption
๏ Manage the APIs used in internal applications
๏ Detect Usage Patterns
๏ Internal Monetization
๏ Control Access to Cloud Services
๏ Manage and Secure access from internal applications to cloud services (SalesForce, Google Apps, etc.) and between cloud-to-cloud interactions
16
API Management Platform Capabilities๏ What the platform must do, at a minimum:๏ Users Management (self-sign up, profile management)
๏ API Publication / API Store
๏ API Security
๏ Statistics
๏ SLA control
๏ Throttling / Rate Limiting
๏ API Versioning
๏ Monetization/Billing
๏ and more !
๏ You could build all of this yourself, but...
Open API and Collaboration
Enterprise SOA and API Integration Platform: API-centric View
Six Steps๏ Define A Business Model
๏ Build a Managed API
๏ API Security
๏ Reconcile Services and APIs Creation, Lifecycle and Governance
๏ Enterprise Integration
๏ API Branding and API as a Product == Yields => Monetization
20
Define a Business Model
๏ What are the business goals ?
๏ Enable 3rd-party Mobile Apps development ?
๏ Increase brand recognition ?
๏ Open new revenue channels ?
๏ Define Monetization model
๏ Free ?
๏ Pay per usage ?
๏ Free APIs, but paid via Ads
21
Building a Managed API
๏ Creating APIs (interface, docs, samples,etc.)
๏ Advertising APIs
๏ Making APIs subscribe-able by consumers
๏ Associating SLAs
๏ Securing APIs
๏ Monetization and Analytics
22
๏ Service deals with implementation
๏ API deals with subscription (consumer)
๏ Two very distinct life cycles !
๏ You don’t need the service to create the API...
Services and APIs
23
API Versioning Strategies
๏ Version as a query parameter๏ Netflix - http://api.netflix.com/catalog/titles/series/70023522?v=1.5
๏ Google Data API - “GData-Version: X.0″ or “v=X.0″
๏ Version as part of URI๏ Salesforce - https://na1.salesforce.com/services/data/v20.0/sobjects/Account/
๏ Twitter - https://api.twitter.com/1.1/statuses/mentions_timeline.json
๏ Version as a date in URI๏ Twilio - /2010-04-01/Accounts/{AccountSid}/Calls
๏ http://www.twilio.com/docs/api/rest/making-calls
๏ Version as a ๏ Custom HTTP Header
๏ Accept Header
24
API Lifecycle
๏ An API can pass through multiple states
๏ For example:
๏ CREATED
๏ PUBLISHED
๏ DEPRECATED
๏ RETIRED
๏ BLOCKED
๏ Should integrate with complete governance lifecycle
25
API Security
๏ Security is not an after thought !
๏ APIs are part of a much larger enterprise picture
๏ How will consumers request an access token ?
๏ Using a SAML 2.0 assertion ?
๏ Using client_credentials ?
๏ Using userid/password ?
๏ Make sure you document thoroughly how developers need to manage tokens:
๏ Tokens are like passwords!
๏ Always use SSL for token transportation !
๏ Use Domain restrictions (WSO2 API Manager)
26
Fine-grained access to APIs๏ OAuth2 is all about access control: a token is associated to a scope.
๏ XACML (eXtensible Access Control Markup Language) is the de-facto standard for fine-grained access control.
๏ OAuth scope can be represented in XACML policies
๏ Provides fine grain control over what a user/application can do ( i.e. you can call GET but not POST on an API)
27
Passing Auth Information to back-end services
๏ Using JSON Web Tokens (JWT)
๏ Lightweight
๏ Can be signed
๏ Easy to parse and consume
๏ Standard
28
Generic Facade Pattern๏ Pros
๏ No additional hop in the network
๏ Single Server to be managed
๏ More suited for internal deployments
๏ Cons
๏ Complexity of integration at edge of network
๏ API Management layer can’t really scale independently
๏ Not appropriate for DMZ deployments (direct access to backend services)
29
Separated Facade & Mediation๏ API Gateway Layer acts as simple reverse proxy, enforcing basic policies
๏ Clear separation of concern between layers
๏ Mediation layer and API management layer scale independently
๏ Specific security checks/protection at edge of the network
๏ Provides protocol transformation to the edge of the network
30
Specific WSO2 Solution
๏ Our API gateway is actually a full-blown ESB under the hood, constrained at UI level.
๏ You can install the missing ESB features on top of API manager and combine both architecture layers into a single runtime!
๏ Makes the choice a deployment one.
API-centric Challenges, Requirements, Use Cases
๏ Enterprise Integration
๏ Integrate with Enterprise Identity Management, Enterprise Security, and Enterprise Key Management Solution
๏ Integrate with monitoring and statistics dashboard
๏ Integrate with existing Service Gateways
๏ Best Practices
๏ Jump from internal services to external API – what practices are required?
๏ How does API governance reconcile with service governance?
32
Typical Deployment
33
You can’t manage what you can’t measure.
34
Why Analytics and API Management are important together?
๏ Build confidence in the API model
๏ Understand your customer ๏ Not just the developer but also the end-user
๏ Help manage services and versions๏ Understand when deprecated services can be retired
๏ Plan better๏ Monitor the growth of aggregated API traffic
๏ Monitor the growth of specific apps
๏ Even if you’re not going to put analytics in place, make sure you capture all events right from beginning of project.
Event Streams
35
Insight Architecture
36
Brands Enhance Revenue
Six Steps๏ Define A Business Model
๏ Build a Managed API
๏ API Security
๏ Reconcile Services and APIs Creation, Lifecycle and Governance
๏ Enterprise Integration
๏ API Branding and API as a Product == Yields => Monetization
39
Download API Manager today!๏ http://wso2.com/products/
api-manager/
Contact us !