API management
What is API management?
API management is the process by which an organization creates, oversees and controls application programming interfaces (APIs) in a secure, scalable environment. The goal is to ensure the needs of developers and applications that use an API are met throughout the API's lifecycle, maintain API availability and performance, and translate API services into business revenue.
API management needs differ from organization to organization, but API management itself encompasses some basic functions, including security, monitoring and version control.
API management has become prevalent as the number of APIs and the administrative complexities related to them have increased. Management has also become more important as APIs are used more for cloud-native and multi-cloud computing, and on-premises application integration.
The requirements and process of building and managing APIs differ from most other applications. Proper API use requires strong documentation, heightened security, comprehensive API testing, routine versioning and high reliability. The use of API management software has also increased because these requirements often exceed the scope of the software-based projects organizations typically run.
Why is API management important?
APIs expose a company's data and make enterprise assets available through applications. Organizations use APIs to add a layer of data access and processing to customer, employee and partner interactions. API management also enables developers and organizations to secure, scale, govern, analyze and monetize API programs.
API management is important in several other ways, including the following:
- API security. API management protects APIs against unauthorized access and threats. However, it goes beyond authenticating and authorizing users. Standards and policies must be set to protect sensitive data and ensure it isn't leaked or compromised. API management platforms help organizations define standard API security policies and ensure traffic to back-end systems is successfully managed.
- API governance. This element of API management creates a consistent user experience. It also includes API discoverability, lifecycle management, documentation and reusability. API governance allows developers to ensure that each API program is built proactively and fulfills a specific goal that adds value to the business. As mobile devices have become ubiquitous for engaging with applications, effective API governance helps developers create rich, complex APIs that improve the mobile user experience.
- API analytics. This element of API management focuses on the centralized collection and analysis of API metrics from real-time monitoring and dashboards. API analytics helps developers and organizations see and understand how their APIs are used and evaluate their performance. This component is beneficial to developers, IT operations and business teams.
- API monetization. API management supports API monetization, or the ability of an enterprise API to generate revenue. This includes the creation of customized packages and plans; the productization and monetization of data; and the proper licensing of products that use the API. For example, if a business builds an application to access another organization's data through that organization's API, API management ensures that the client business registers and pays the appropriate fees for accessing and using the API and data.
How does API management work?
API management is an overarching term describing a software stack established between API users and API providers with data and application access on the back end. At a minimum, an API management software stack has the following four elements:
- API. The API is at the heart of any API management stack. It provides the features and functions users and devices can access through API calls.
- API gateway. The API gateway is the front end of API management. It provides security, such as authentication and credential management; policy management; call rate throttling; routing; logging; monitoring; and observability features for the API provider.
- Developer portal. This feature provides self-service access, testing and documentation that let developers learn, experiment and onboard a provider's APIs into their software development projects. This is where developer accounts get created and managed.
- Management tools. Management tools -- sometimes called the management plane -- provide administrative features of API management, including provisioning, scaling, policy creation and enforcement, user management, version management and data analytics.
API providers use management tools to create and define the API and manage its versions. They also use these tools to create the security and policies associated with the API and its use. Once the API is complete, it is published so it can be found and used.
Developers can build applications to use a provider's API. The provider's developer portal gives access to documentation, the test environment and the analytics needed to build the client application and ensure it can discover and use a provider's API. Developers use analytics to see how the application is interoperating with the API; identify errors, such as the number of rejected or failed API calls; and monitor API access and response performance.
Actual API usage starts with a consumer device or application capable of using the provider's API. The API is typically discovered and enabled through an authorized account that might have to be created with the API provider. A suitable account will typically deliver appropriate credentials, such as an API key or OAuth token, to the consumer device or application.
When the consumer device or application makes a call to an API governed by API management, the API management gateway processes it. The gateway handles access, security, rate limiting and enforces any other established policies from the API provider.
An API call might be rejected because it came from an unauthorized device or application or lacks an account to use the API. When this happens, the gateway provides notification of the rejection and its cause.
If the API call is allowed, the gateway will forward the API call to the API service and on to its associated back-end services, such as a data store. The results of the call -- such as requested data or the results of a requested action -- go through the gateway and back to the client.
What are the benefits of API management?
API management benefits include the following:
- The ability to make data-driven decisions through business insights gained from API analytics.
- Protection from security threats that affect APIs.
- Detailed API documentation to attract developers and inform users.
- Centralized visibility that lets organizations see all their API connections in one place, reducing security vulnerabilities, decreasing the number of repetitive APIs and identifying gaps for developers to address.
- API monetization that lets organizations share revenue with partners and track billing in real time.
- A positive user experience for API consumers.
- API agility and the ability to rapidly create new digital assets.
- A flexible, agile, adaptable and innovative ecosystem that simplifies the way people, processes and technology work together.
API management also lets organizations optimize existing legacy systems by updating outdated security protocols so they match the modern standards of today's APIs. API management software can translate complex data from legacy systems into easier message formats. Furthermore, API management can be used to combine back-end services into one functionality exposed as an API.
What are the challenges of API management?
Organizations must consider numerous potential challenges to API management, including the following:
- API version control and compatibility issues.
- The API management infrastructure as a point of failure, resulting in unplanned downtime that can render client applications inoperable.
- Incomplete documentation of the APIs and the management system that can be labor-intensive, especially where the management system must handle many versions of diverse APIs.
- Security as a continuous threat at many levels, including the API's access to business data and the security of the API management infrastructure itself.
- Standardization issues that make it difficult to ensure all APIs are deployed and used in a common style and process.
- Scalability capabilities that are often poorly tested and rarely monitored throughout the API lifecycle.
- Lack of suitable analytics to track API management metrics and key performance indicators in a way that's suited to the needs of each API client.
API management software tools and platforms
API management software is designed and built to make API design, deployment and maintenance easier and efficient. Although each API management tool has its own set of features, most include essential ones, such as API documentation, security, sandbox environments, high availability and backward compatibility.
API management software tools typically provide the following functions:
- Automation and control of connections between an API and the applications that use it.
- Consistency among multiple API implementations and versions.
- Monitoring traffic from individual apps.
- Memory management and caching mechanisms to improve application performance.
- Security procedures and policies to protect the API from misuse.
- Configuration of endpoints, load balancing and fault tolerance.
API management software can be built in-house or purchased as a service through a third-party provider. The Open API movement was spearheaded by major companies, including Facebook, Google and X, formerly known as Twitter. It reduced API dependency on conventional service-oriented architecture in favor of more lightweight JavaScript Object Notation (JSON) and representational state transfer services. Some API management tools can convert existing SOAP, Java Message Service or Message Queue Interfaces into RESTful APIs or JSON content.
Some organizations stitch together multiple API management tools to meet their management needs. Others use an API management platform, which typically is a prefabricated collection of tools packaged in a standardized API creation, deployment and management environment. An API management platform acts as a proxy for API requests and protects back-end services from being brought down either intentionally or unintentionally by too many queries or breaches. Policies such as a rate limit accomplish this.
API management platform architecture
The ideal API management platform generally incorporates a layered architecture with interacting components that work from end to end in the API lifecycle. These include analytics and usage reporting, API key and authorization management, live updated documentation and developer community management. The platform might also include a portal for developers to acquire and distribute APIs needed to build certain applications.
The following are some of the main components in these platforms:
API portal. These portals are also referred to as the community manager. They enable API developers and owners to successfully deploy and onboard their APIs, including access control of the API through plans and contracts. Internal and external developers also use the API portal to test and document APIs as well as assess availability.
API lifecycle management. This component helps an organization manage the state of the API at each point in its journey. API lifecycle management typically follows an API's progress through design, development, testing, deployment, deprecation and, finally, retirement.
API policy manager. This aspect controls the lifecycle of policies used to define and manage the API. API policies will follow the same journey as an API, from design to retirement. Many API management platforms provide users with out-of-the-box policies that control API traffic, enhance security, improve API performance and increase the value of the API. Users can implement these policies without writing code or modifying back-end services.
API analytics. This feature provides platform users with dashboards that display different operational aspects and business metrics. This data can be used to gather insights on the error, performance constraints of an API and about API use. This information can support business decisions such as whether to monetize the API.
API gateway. This is software that handles the request and presentation of APIs to a user or client device. API gateways also can be used as a management tool in a microservices architecture, and streamline business-to-business integration as an alternative to legacy approaches such as electronic data interchange services.
The API gateway is the crucial middleman between API consumers and providers, and that presents challenges. If the API gateway's functionality is impaired, it could cause the failure of associated services, and if it's compromised, that's a potentially serious security threat. Enterprises must build strong resiliency into the API gateway, be wary of adding features that affect performance, and separate external-facing interfaces from internal APIs and systems.
API management platform examples
A range of API management platforms are available; they're tailored to the needs of businesses of various sizes. Several software companies, including IBM, Microsoft, Oracle and Red Hat, have created their own offerings for API management.
Examples of popular API management platforms include the following:
- Akana by Perforce.
- Amazon API Gateway.
- Apidog.
- Apigee Edge.
- Broadcom Layer7 API Management.
- Google Cloud Apigee API Management.
- Microsoft Azure API Management.
- MuleSoft Anypoint Platform.
- Postman.
- Sensedia.
- Software AG.
- SwaggerHub.
- Tibco Software.
- WSO2 API Manager.
Various open source options for API management provide an alternative to proprietary tools. Examples include API Umbrella, Gravitee.io, Kong, Moesif and Tyk.
Without proper management, large portfolios of APIs can get out of control. Find out what you can do to prevent API sprawl from happening.