API management — Key things to know
APIs form a crucial part of product development. Products are made available to the user in multiple form factors like web, smartphones, voice assistants, smart cars, IoT devices, etc. Exposing the same set of API’s to different form factors is a challenging task as the architecture gets complex day by day because of the addition of new devices, external consumers, etc. Hence, even though API management by itself does not hold any business logic or data, it has raised as one of the key functional areas in product development.
Apart from the scalability, reliability, agility, and availability, other key management techniques should be taken care of in API management.
Let us see some of the common key aspects of API management.
1) Secured access — API gateways should be completely secured since they are the entry point to business logic and data. Any compromise on the security layer at the API gateway can lead to a serious data breach. However, API gateways should be able to extend to support multiple consumers. The consumer of the API’s may grow daily. One of the key aspects is to handle API gateways by not having any downtime or maintenance window to onboard a new consumer. This can be resolved in 2 different ways -
A) The host of the API gateway will create a service account with a public-private key combination while they onboard a new consumer. The private key will be shared with the consumer to keep it securely in a vault. The consumer generates the token out of the private key every-time when they have to call the API gateway.
B) An API gateway can attach the authorizers as needed in the security layer of the API gateway. The authorizer will validate the tokens using the JWKS or by calling the token provider.
2) Identity aware proxy — Authentication at the API gateway relies not only on the tokens but also on the other identity parameters attached to the request. These identities are used to determine the quality of the request coming from a user. This is an extended security model for today’s security standards and protocols. The collection of identities can be enforced by the API host using an SDK or JS library to consume the API. Identity information can be anything like location, type of the device, IP address, phone number, email, etc. Even though security is enhanced, right PII handling should be in place to protect the information of the user.
3) Context-aware access — Authorization on what API’s can be consumed will be determined based on the identities collected from the identity-aware proxy. APIs can grant access to the user without having to rely on perimeter-based networking security like a firewall. For instance, the location of the originated request can be used to determine whether to grant access to the application or not. By achieving this, the API will fall under the zero trust model. Having context-aware access eliminates the need to manage too many firewalls for ingress and egress traffic.
4) Firewall — Tokens with identity parameters and context-aware access provides a zero trust model similar to Google’s beyond corp. However, there is nothing wrong with attaching the firewall rules to the API gateway. Some very high-level conditions like geography, IP constraints, SQL injections, etc can be handled using firewall managers and rules.
5) Mediation and orchestration — The many different backends connected to an API management platform can change much frequently. One of the biggest advantages of having a well-managed API proxy is not to disturb the API consumers even though the back end may change quite frequently. API’s can achieve this by using mediation as a key tool. The mediation proxy layer acts as a bridge between the API consumer and the many different backends by transforming the requests and responses as needed. API orchestration handles things like merging API’s of one or more application or merging multiple internal API’s into one for the frontend to consume.
6) Staging — Staging is the way to make the developed API’s accessible by the end consumer. Staging involves handling versioning by adding new APIs or by adding new features to the existing API’s or by retiring the old API’s. Staging of the API will be mostly handled by the release management team.
7) API keys, usage plans, and rate-limiting — Depending on the SLA, SOW and the business model with the consumer there will be restrictions on the parameters like the number of times an API can be assumed, throttling limits, the time in a day the API’s can be consumed, etc. This behavior can be achieved by providing an API key for every consumer and by attaching the API key with the usage plans. Usage plans generally manage the mentioned parameters. Also, when the contract of the consumer expires, access to the API’s can be easily revoked by removing the API key provided to the consumer.
8) Caching — Frequent access to the backend system or the database, for the same data, is a very costly operation in terms of resource utilization, traffic, and the latency involved in the operation. Caching at the API gateway layer can address the issue. Caching comes in handy especially when multiple systems access the same read-only data multiple times within a stipulated window.
9) Logging and support — Once when the API is available for consumption, maintenance, and support for the API gateway begins. Logging of the incoming requests and the outgoing response can help to debug the issues. However, caution should be taken on the parameters being logged. In general, only the request headers will be logged for monitoring and debugging purposes in a production environment.
10) Documentation — API documentation contains the collection of API resources, its methods, reference materials, tutorials, and examples the consumers can use to develop against the API. In simple terms, documentation is the way that the consumer gets to know about what is possible with the API and how to implement them. Swagger is one of the very popular API documentation tools that many enterprises use.
11) Governance — API first approach is one of the keys to a successful product build-out. Governance helps in bringing in best practices and standards for building the API’s and also enforces the same on any new API’s that will be built. API discovery, deprecation policy, API contract, Style guidelines, etc are some of the key parameters in API governance. This has to be handled by a centralized team within the enterprise.
12) Analytics, trends, and metrics — Analytics with API usage helps in securing the API endpoint by understanding the behavior and the usage pattern of the consumer. Trends help API gateway hosts to introduce new API for the consumers. Metrics help in monitoring the performance of the API.
13) Managed at the cloud — At last, all the above-mentioned aspects of API management can be done by deploying API gateway products in the form of containers in the cloud (or on-prem) or by using managed API gateway products like AWS API gateway, GCP’s cloud endpoint, etc.
The discussed aspects have to be taken care of technically and implementation wise while hosting the API gateway. However, as a consumer of the API’s it is equally important to understand at a high level on the need for these API management techniques. This common understanding will help both the consumer and the API host arrive at an API contract easily.
Also, the rise of cloud services has given some new API services like,
- API-as-a-Service (APIaaS)
- AI-as-a-Service (AIaaS)
- Healthcare API’s
- Retail API’s and so on.
Share your thoughts and experience on the API management and how you are consuming API in your solution.
Originally published at http://shankarkumarasamy.blog on April 29, 2020.