API Management

Session 7
 Section 1
Overview of API Management
What is API Management ?
Most common definition
API management is the process of publishing, documenting and supervising
Application Programming Interfaces in a secure & scalable environment.

But under the cover there are multiple activities that are covered under API management.

But why do we need to manage it ?

- API grows with time
- API changes over time
- API usage varies with client
- Some common problems can be handled at API level ( rather at implementation level)
API - Powering the Digital Economy
● APIs are the key drivers of today’s Digital Economy

With API has opened possibilities of :

- New Business models - for e.g CRED
- New Partnerships - Razorpay offering Current A/C services & Instant Loans
- New Revenue streams

APIs itself are Products and like any other Product Lifecycle management, API
also needs to be managed.
API Management Activities

Traffic
API Lifecycle Security Management

Productivity Analytics

Productize Monetize
Common API management platforms
API Management Platforms
API Management Model

1. Agent Based
2. Proxy Based
Agent Based Model
Enterprise Network

Policies

Security
Gateway

Client Application
Proxy Based Model
Enterprise Network
Policies

Client Application

Dev
Portal

App Developer
API Gateway vs API Proxy
An API proxy acts as a gateway between
your developers and backend services.

API gateway provides 3 additional

capabilities over API proxy
- Mediation
- Orchestration
- Integration

An API proxy is basically a lightweight

API gateway.

When the needs are heavy in case of

Enterprise level usage - API gateway
should be used.
 Section 2
Lifecycle & Productivity
4 stages of API life cycle

BUILD PUBLISH DEPRECATED RETIRED

● Establish process, practises & roles

● Publish roadmaps in advance Not a standard feature of API
● Setup App developer communication management platforms
● Leverage tools for API management
Productivity

App Developer API Developer

● API Documentation ● Development guidelines

● Self serve provisioning ● Frameworks
● Support ● Best practices

Developer
Portal
API Management Platform Support
● Design & Development
○ Specification based tooling
○ Utilities & Tools
● Policy based implementation
○ XML
○ JSON
● Support for extensions
○ Javascript
○ Java
○ Groovy
 Section 3
API Developer Portal
Developer Portal

One stop shop for App for the App developers

API Documentation

Self service

Support
API Documentation

● Manage in Swagger

Try it Now

Provide sample code Provide sample data

Provide SDK
Demo : https://editor.swagger.io/
Sample API developer portal

ICICI Developer Portal : https://developer.icicibank.com/

Uber developer portal : https://developer.uber.com/

Manual provisioning
Self provisioning
 Section 4
API Security Management
Key/Secret Management

● All API must require a minimal security of API key

○ Invalidate the key for misbehaving client
○ Generate analytics with Key as the identity
○ Usage metrics

● Implemented popularly using OAuth2.0

OAuth2 Implementation
Threat protection

APIGEE Threat protection policies

● API Testing practises

● Third party vulnerability
assessment
● Continuous monitoring
● Implementation threat protection in
Proxy
 Section 5
API Traffic Management
Need of Traffic Management

App Developer API Developer Data Owner

Response time consistency

Service Level Agreement (SLA)

Protecting the Backend

Response Time consistency
Service Level Agreement

● Ensure that the SLA is met by the Provider

● Enforce the SLA on the consumer
Protecting the Backend

Block or Throttling the request

Solution - Traffic Management Policies
Traffic Management >> Quota policies

● Defines Maximum # of Calls per unit time

Traffic Management >> Rate limiting

● Limits number of concurrent connections to the API

Traffic management >> Spike Arrest

● Prevents calls beyond high watermark from reaching the backend

Traffic Management >> API Caching
Caching is the technique to store copies of frequently accessed data which can be found faster.

API Proxies can maintain a series of Caches to store Responses of frequently used Requests.

On HTTP, GET requests are cached by default, POST request are not.

2 main HTTP response headers that we can use to control caching behavior :
● Expires :
○ Expires: Fri, 20 May 2016 19:20:49 IST
○ Beyond this date the API responses are considered stale ; Needs refresh
● Cache-Control :
○ Cache-Control: max-age=3600
○ How long the response is cacheable
API Caching >> Benefits
Optimizing the network using caching improves the overall quality-of-service in the
following ways:

● Reduce bandwidth
● Reduce latency
● Reduce load on servers
● Hide network failures
 Section 6
API Analytics
Why API Analytics ?
4 major purpose Analytics of API is needed

● Service improvement
● Catch Errors
● Understand threats/attacks
● Business support
2 perspectives of Analytics

METRICS Error rates, Throughputs

VISIBILITY USAGE

TRANSACTION
Analytics >> Metrics

Performance Errors SLA

● Response Time ● API Errors ● Clauses are not

● Throughputs ● Backend errors violated
● Peaks/Valleys
● Policy Errors
Analytics >> Visibility

Usage Transactions

● By User - Who is using the API most ? ● Specific to Business

● By Region - From which geography API
● Logic has to be built in the Proxy
is used more
● Example - Origin of Max Sales
● By API - Which APIs are most popular
● By Device - From which Device or App
looking into the Credit Card data
the API call are more
Sample Analytics Dashboard on APIGEE
 Section 7
API Productization & Monetization
API = Product
What is a Product ?

Product is a system that is offered in a market that might solve certain need or
want of the customer.

Product has a Life cycle - and it has to be managed

 Productization

Business
Research Create Marketing Sales Service
Case

New revenue Consumer ? Planning How will your Developer Developer

consumer find Portal Portal
Brand visibility Needs, Desire, Designing APIs
Problems Built for Scale Sample Apps
Partnership Delivery Events
Why will they Hackathon SLAs Helpdesk
use your API ? Community
Open Source Monitoring
Monetization

DIRECT

Salesforce, AWS, Twilio

+
INDIRECT

Flipkart Affiliate, Twitter,

Linkedin
Monetization models
 Thank you!

See you tomorrow at 10AM

S7 API Management