● An API is a business capability delivered over the Internet to internal or external consumers○ Network accessible function ○ Available using standard web protocols○ With well-defined interfaces○ Designed for access by third-parties

● A Managed API is:○ Actively advertised and subscribe-able○ Available with SLAs○ Secured, authenticated, authorized and protected○ Monitored and monetized with analytics

● API Creator - Design, Implements, Manages and Versions API

● API Publisher - Publishes, Promotes and encourages consumers to adopt APIs

● API Consumer - An Application Developer, understands the API interface definition.

API Design First

Richardson Maturity Model

Read more in http://martinfowler.com/articles/richardsonMaturityModel.html

Hypermedia Controls

Swagger

Swagger is a simple yet powerful representation of your RESTful API.

Why do I need it ?

Publishing an API

Adding API Definition

API Versioning

Securing an API

OAuth 2.0

● Has become the de-facto standard for API Security

● Primarily operates on an Access Token

● Introduces Grant Types and Token Types

● OAuth 2.0 specification defines 4 major grant types○ Authorization Code○ Implicit○ Resource Owner Password Credentials○ Client Credentials

• Recommended for web applications or native mobile applications capable of spawning a web browser

Authorization Code Grant

• Mostly used by Javascript client running in the web browser

Implicit Grant

• Used by trusted Client Applications

Resource Owner Password Credentials Grant

• Two-Legged OAuth. The Client becomes the Resource Owner

Client Credentials Grant Type

Access Control with Scopes• OAuth2.0 Scopes, a mechanism to control what access

tokens can do with Resources

Defining a Scope

Access Control with Scopes

• Applying a scope to a Resource

Fine Grained Access Control

Throttling API Usage

• Why do you need to throttle ?

• “Rate Limiting”.

• Let see how to throttle API usage with APIM. ( demo )

JWT Token

{ "typ":"JWT", "alg":"NONE" }{ "iss":"wso2.org/products/am", "exp":1345183492181, "http://wso2.org/claims/subscriber":"admin", "http://wso2.org/claims/applicationname":"app2", "http://wso2.org/claims/apicontext":"/placeFinder", "http://wso2.org/claims/version":"1.0.0", "http://wso2.org/claims/tier":"Silver", "http://wso2.org/claims/enduser":"sumedha" }

• When to use JWT Token ?

• How does it look like ?

JWT Token

Client / Partner

Gateway

Key Manager

Store Publisher

Back EndJWT Token

JWT Token

Analytics

Operational PurposesKnow when your system is heating upKnow when to scale up/downFor Alerts/NotificationsThreat detection

Business Purposes Identify user types/categories by device (User Agent)

Identify usage by Geographical location

Know when to promote/retire your APIs

Analytics in API Manager

Back End Service

Client / Partner

Event Streams Event Streams

STAT DBAggregated Data

Statistical data retrive for display

1 2

3 3

45

Identity Federation

• Useful in scenarios where you need to authenticate users through an Identity System that’s already in place

Integration with external OAuth servers• Enterprises which already have an identity system capable

of doing OAuth might be interested in integrating the API Management platform with it.

API Facade Pattern• It is an architectural best practice to use the Facade pattern

to clearly separate out the API layer and mediation layer to facilitate better separation of concerns

Deployment FAQ ?

• How many servers do I need to achieve my performance requirement ?

• How to scale with time ?

• Securing the deployment ?

Deployment Performance Numbers.

• 1300 TPS for EC2 m1.large.

• Upcoming release AM 1.9 has shown more than 4000 TPS for a tuned setup. We will be benchmarking on EC2 after the release.

Deployment

Client / Partner Back End

Clustering Step 1

Client / Partner Gateway

Key ManagerStore Publisher

Back End

Clustering Step 2

Client / Partner

apimgtdb

Gateway

Key ManagerStore Publisher

Back End

gregdb

userdb

Clustering Step 4

Client / Partner Back End

GW Manager

GW Worker Nodes

SVN

Clustering Step 5

Client / PartnerGatewayCluster

Key ManagerCluster

Store

Back End

Publisher

Caching Step 6

Client / PartnerGatewayCluster

Key ManagerCluster

Store

Back End

Publisher

Securing Deployment

Client / PartnerGatewayCluster

Key ManagerCluster

Store

Back End

Publisher

DMZ

Integration and Automation

• We are working on a complete RESTful API for API Manager.

• Can find the swagger definition at http://hevayo.github.io/restful-apim/#/