Six Steps to Build Successful APIs
Download as PPT, PDF5 likes1,159 views
The document outlines six tactics for building successful APIs: 1) define a business model to identify goals like enabling app development or new revenue streams, 2) build managed APIs that are advertised, secured, and monitored, 3) focus on API security like access control and authentication, 4) reconcile service and API lifecycles and governance, 5) integrate APIs with enterprise systems, and 6) brand APIs and treat them as products to enable monetization.
Six Steps to Build Successful APIs
- 1. Six Tactics For Building Successful APIs Chris Haddad VP Platform Evangelism Last Updated: Jan. 2014
- 2. 2 About the Presenter • VP Platform Evangelism • F500/G2000 Advisor • Cloudy DevOps for Dev guy • API Strategy and SOA Roadmap consultant • Architect • SaaS and PaaS • Service portfolio and infrastructure • Java, .NET, JavaScript, Open Source • Learn more about me • Follow me @cobiacomm on Twitter • Blog: http://blog.cobia.net/cobiacomm • Decks: http://www.slideshare.net/cobiacomm/ • Profle: http://www.linkedin.com/in/cobiacomm/ • On Google+ too
- 3. What architecture goal-state is required? http://edcforums.com/threads/the-atwood-collectors-thread-part-2.101226/page-5
- 4. Old IT Responsive IT
- 5. Engage your customers and partners Mobility, Internet of Everything, and Ecosystem Business Models are Transforming The Web
- 6. APIs Fit Into A Bigger IT Picture
- 7. Connected Business Reference Architecture
- 8. Architecture Focus Areas Integration Expose Services as APIs Big Data Streams and Analytics
- 9. Architecture Focus Areas Identity and Entitlement Management Cloud AppDev Developer Studio App Factory AS incl. Jaggery), UES, DSS,
- 11. Enterprise Service Bus Component Architecture
- 12. API-centric Focus An API is a business capability delivered over the Internet to internal or external consumers ๏ Network accessible function ๏ Available using standard web protocols ๏ With well-defined interfaces ๏ Designed for access by third-parties
- 13. API-centric Focus A Managed API is: ๏ Actively advertised and subscribe-able ๏ Available with SLAs ๏ Secured, authenticated, authorized and protected ๏ Monitored and monetized with analytics
- 14. 14 API Centric Capabilities
- 15. API-centric Integration Capabilities ๏ Expose APIs for public consumption ๏ Extend your business through APIs. ๏ API Branding ๏ Expose APIs for internal consumption ๏ Manage the APIs used in internal applications ๏ Detect Usage Patterns ๏ Internal Monetization ๏ Control Access to Cloud Services ๏ Manage and Secure access from internal applications to cloud services (SalesForce, Google Apps, etc.) and between cloud-to-cloud interactions
- 16. 16 API Management Platform Capabilities ๏ What the platform must do, at a minimum: ๏ Users Management (self-sign up, profile management) ๏ API Publication / API Store ๏ API Security ๏ Statistics ๏ SLA control ๏ Throttling / Rate Limiting ๏ API Versioning ๏ Monetization/Billing ๏ and more ! ๏ You could build all of this yourself, but...
- 17. Open API and Collaboration
- 18. Enterprise SOA and API Integration Platform: API-centric View
- 19. Six Steps ๏ Define A Business Model ๏ Build a Managed API ๏ API Security ๏ Reconcile Services and APIs Creation, Lifecycle and Governance ๏ Enterprise Integration ๏ API Branding and API as a Product == Yields => Monetization
- 20. 20 Define a Business Model ๏ What are the business goals ? ๏ Enable 3rd-party Mobile Apps development ? ๏ Increase brand recognition ? ๏ Open new revenue channels ? ๏ Define Monetization model ๏ Free ? ๏ Pay per usage ? ๏ Free APIs, but paid via Ads
- 21. 21 Building a Managed API ๏ Creating APIs (interface, docs, samples,etc.) ๏ Advertising APIs ๏ Making APIs subscribe-able by consumers ๏ Associating SLAs ๏ Securing APIs ๏ Monetization and Analytics
- 22. 22 Services and APIs ๏ Service deals with implementation ๏ API deals with subscription (consumer) ๏ Two very distinct life cycles ! ๏ You don’t need the service to create the API...
- 23. 23 API Versioning Strategies ๏ Version as a query parameter ๏ Netflix - http://api.netflix.com/catalog/titles/series/70023522?v=1.5 ๏ Google Data API - “GData-Version: X.0″ or “v=X.0″ ๏ Version as part of URI ๏ Salesforce - https://na1.salesforce.com/services/data/v20.0/sobjects/Account/ ๏ Twitter - https://api.twitter.com/1.1/statuses/mentions_timeline.json ๏ Version as a date in URI ๏ Twilio - /2010-04-01/Accounts/{AccountSid}/Calls ๏ http://www.twilio.com/docs/api/rest/making-calls ๏ Version as a ๏ Custom HTTP Header ๏ Accept Header
- 24. 24 API Lifecycle ๏ An API can pass through multiple states ๏ For example: ๏ CREATED ๏ PUBLISHED ๏ DEPRECATED ๏ RETIRED ๏ BLOCKED ๏ Should integrate with complete governance lifecycle
- 25. 25 API Security ๏ Security is not an after thought ! ๏ APIs are part of a much larger enterprise picture ๏ How will consumers request an access token ? ๏ Using a SAML 2.0 assertion ? ๏ Using client_credentials ? ๏ Using userid/password ? ๏ Make sure you document thoroughly how developers need to manage tokens: ๏ Tokens are like passwords!
- 26. 26 Fine-grained access to APIs ๏ OAuth2 is all about access control: a token is associated to a scope. ๏ XACML (eXtensible Access Control Markup Language) is the de-facto standard for fine-grained access control. ๏ OAuth scope can be represented in XACML policies ๏ Provides fine grain control over what a user/application can do ( i.e. you can call GET but not POST on an API)
- 27. 27 Passing Auth Information to back-end services ๏ Using JSON Web Tokens (JWT) ๏ Lightweight ๏ Can be signed ๏ Easy to parse and consume ๏ Standard
- 28. 28 Generic Facade Pattern ๏ Pros ๏ No additional hop in the network ๏ Single Server to be managed ๏ More suited for internal deployments ๏ Cons ๏ Complexity of integration at edge of network ๏ API Management layer can’t really scale independently ๏ Not appropriate for DMZ deployments (direct access to backend services)
- 29. 29 Separated Facade & Mediation ๏ API Gateway Layer acts as simple reverse proxy, enforcing basic policies ๏ Clear separation of concern between layers ๏ Mediation layer and API management layer scale independently ๏ Specific security checks/protection at edge of the network ๏ Provides protocol transformation to the edge of the network
- 30. 30 Specific WSO2 Solution ๏ Our API gateway is actually a full-blown ESB under the hood, constrained at UI level. ๏ You can install the missing ESB features on top of API manager and combine both architecture layers into a single runtime! ๏ Makes the choice a deployment one.
- 31. API-centric Challenges, Requirements, Use Cases ๏ Enterprise Integration ๏ Integrate with Enterprise Identity Management, Enterprise Security, and Enterprise Key Management Solution ๏ Integrate with monitoring and statistics dashboard ๏ Integrate with existing Service Gateways ๏ Best Practices ๏ Jump from internal services to external API – what practices are required? ๏ How does API governance reconcile with service governance?
- 33. 33 You can’t manage what you can’t measure.
- 34. 34 Why Analytics and API Management are important together? ๏ Build confidence in the API model ๏ Understand your customer ๏ Not just the developer but also the end-user ๏ Help manage services and versions ๏ Understand when deprecated services can be retired ๏ Plan better ๏ Monitor the growth of aggregated API traffic ๏ Monitor the growth of specific apps ๏ Even if you’re not going to put analytics in place, make sure you capture all events right from beginning of project.
- 35. Event Streams 35
- 38. Six Steps ๏ Define A Business Model ๏ Build a Managed API ๏ API Security ๏ Reconcile Services and APIs Creation, Lifecycle and Governance ๏ Enterprise Integration ๏ API Branding and API as a Product == Yields => Monetization
- 39. 39 Download API Manager today! ๏ http://wso2.com/products/ap i-manager/
- 40. Contact us !
Editor's Notes
- #4: http://www.candlepowerforums.com/vb/showthread.php?140691-The-Official-Atwood-collectors-thread/page7
- #6: Mobility, Internet of Everything, and Ecosystem Business Models are Transforming The Web towards a new interaction model, and businesses must adapt. Without adapting business practices and IT systems towards web API interaction, organizations will be unable to maintain or increase engagement with customers and partners. People are shifting away from destination sites (e.g. Yahoo, Google Search, CNET, CNN) and social networks (e.g. Facebook, Twitter) towards accessing information and interacting with businesses using Web APIs and local apps.
- #7: When defining a roadmap to align IT’s pace with business agility expectations, establish IT team objectives that quicken IT solution development and delivery, offer new technology as on-demand shared services, and enhance your team’s ability to rapidly satisfy emerging business use cases (e.g. social collaboration, mobile application connectivity, ecosystem partnering). Open source PaaS, Open APIs, and Open Ecosystems are accelerating agility, empowering developers, and enabling innovative business strategies. In a recently published white paper, I describe how adopting a New IT plan can create a responsive IT team. The path to New IT requires moving away from traditional application platforms, traditional team structure, and traditional information flows. Responsive IT teams are adapting their infrastructure, processes and tooling to re-invent the application platform and re-think application delivery. The New IT architecture underlying Responsive IT intelligently incorporates Cloud Platforms, BigData Analytics, Enterprise DevOps, and API first development.
- #18: Open APIs are empowering developers by delivering business building blocks. Teams can rapidly compose solutions to meet shifting business demand by re-using Open Data and Open APIs. Teams are embracing long tail development communities that enable innovative business ecosystem strategies to emerge, with Open Data and Open API foundations. In a New IT operations model, instead of being a single-purpose delivery team, IT serves as a broker and validator of solution building blocks. Manage APIs for external value chain and customer use in mobile Apps. Establish tiers of service, track usage of APIs, social data collection, social data analytics, versioning. Also use internally to track internal re-use, ease of re-use, control access “Layer 7 and Wso2 Blend service integration and a good api Consumer experience. Most API management adopters among our clients will need to build their corporate platforms on existing systems and integration efforts. So they will need a good client app developer portal, traffic management sophistication, and the means to map, convert, and manage existing service endpoints.”* * The Forrester WaveTM: API Management Platforms, Q1 2013 By Eve Maler and Jeffrey s. Hammond, February 5, 2013
- #19: Which platform components are in your architecture?
- #38: API brands enable you to build mindshare with your target audience. Mindshare increases API visibility; visibility encourages individuals (and devices) to discover and evaluate your API. API evaluation triggers API adoption, and adoption realizes your goals (i.e. increased interaction and revenue growth). Execute a virtuous API branding cycle.