As companies move toward microservices-based application architectures, the importance of managing APIs grows in tandem. API management involves a chain of planned actions, and the decisions you make at one step will dictate how you attack the next.
There are five distinct steps when managing APIs: API design and development, API exposure, API security, API performance analysis and, finally, API lifecycle management. An API management plan should address each of these steps diligently.
API design and development
The best first step in API design and development is to build a functional view of the application. This view should divide the application into logical components that recognize the specific software model -- e.g., event-based, transactional or analytical. It should also define the functional APIs needed, as well as the general type of information that is exchanged through the APIs.
Importantly, API documentation must start in this phase, because it eventually ties all the steps of API management together. Try to find API documentation tools that can integrate into development team collaboration.
The next step in API management is to consider how to publish and access APIs. This step is where the choice between an API proxy or an API gateway comes into play. Both act as an intermediary element between users and the API to provide security, compliance and monitoring features. This is perhaps the most critical step in the API management process, because it influences the next steps.
API proxies are lightweight templates that enforce API access rules, whereas gateways are much more sophisticated. The security and compliance policies that gateways enforce are much more complex, have a higher overhead in execution and can impact performance. If you select a gateway, you'll need to pay particular attention to performance testing. If you select a proxy, you will want to consider adding network security and other mechanisms that control API visibility to supplement the proxy's capabilities. No matter what your choice, make sure to document your actions here, and explain all the reasons for your choice.
There are other practices that can improve security, regardless of whether you choose a proxy or a gateway. One practice is to never mix secure and insecure functions in the same API. Some developers may want to reuse old API components, but that can extend an API into an area with a higher security risk. It's also important to use network addresses and firewalls that limit access to secure APIs. When internal applications access APIs, it's best to keep the components that the APIs represent on a private subnet.
Most API security management is done via tokens that represent a permission to do something. An API's security depends on token security. This should always come in the form of an access token and not an identity token. In other words, the token should remain specific to the API and the API's user and never be a simple identification of the user. Identity tokens are difficult to maintain, and they almost always result in unauthorized access or erroneous access denials.
API usage and performance
Multiple goals exist for API usage and performance analysis. Unfortunately, API development projects normally don't achieve any of them. API usage monitoring is a great way to put a check on security and governance policies. This step can help ensure that API use conforms with your tools. In addition, API performance is a major factor in user quality of experience.
A performance analysis can also help you determine whether the component an API represents needs to scale for variable workloads. API gateways often feature usage and performance monitoring more than API proxies, so consider this point when you choose between the two.
Match tools to your API mission
Before your DevOps team starts with your API management strategy, it's important to identify any product sets that support your goals. Companies like 3scale, Akana, Boomi, Microsoft, Oracle and Tibco provide suites of products that help manage APIs through their entire development and deployment cycle. Review these tools with your specific API mission -- such as web services, microservices or event processing -- in mind. If you're already committed to a specific software architecture that includes API management, you should carefully consider the tool you choose.
API lifecycle management
API lifecycle management is related to -- but not the same as -- application lifecycle management (ALM). The primary difference between the two terms is that APIs extend beyond an application and may, in fact, link many applications into a cooperative ecosystem.
There are two possible ways to integrate API lifecycle management into ALM. The first is to use API lifecycle management to identify how an API's exposure affects application integration. The second is to set up your ALM so that it automatically evaluates any API change and determines the impact. If you're already using ALM, the latter won't affect your development processes as much. But overall, the best approach is to start any application change process with an assessment of API impact. Then, use that impact analysis to identify the full scope of how the applications that use that API change.
Never forget your APIs
Managing APIs is about more than just software. APIs are the glue that integrates all software and defines the way business information migrates through business processes. It's important that API designers never forget that and employ thorough management practices that preserve API integrity.