API management refers to the processes for distributing, controlling, and analyzing the APIs that connect applications and data across the enterprise and across clouds. The goal of API management is to allow organizations that create APIs or use others’ APIs to monitor activity and ensure the needs of the developers and applications using the API are being met.
Organizations are implementing strategies to manage their APIs so they can respond to rapid changes in customer demands. In most cases, these organizations adopt a microservices architecture in order to meet demands by speeding up software development. HTTP-based APIs have become the preferred method for synchronous interaction among microservices architectures. These APIs are the glue that connects all of the microservices together. Managing these APIs allows an organization to make sure the APIs are used in compliance with corporate policies and allows governance by appropriate levels of security, as some services may require different security policies than others.
Microservices and APIs are the foundation for rapidly developing innovative application components to meet new business needs—an approach known as cloud-native application development. This approach is not without its challenges, though.
The key technical challenge to forming microservices is breaking up larger systems into their smaller components. As we mentioned, APIs allow these smaller components to connect with data sources and each other.
Another challenge presented by a microservices architecture is how to coordinate the many frequently changing microservices. Service discovery makes this easier. API management provides the necessary discovery mechanisms to ensure that available microservices can be found and documentation on how to use them is shared through the developer portal.
Microservices require an integrated approach to security. Security mechanisms differ depending on the type of API: external-facing services require different security mechanisms than internal ones. For less mission-critical APIs, simple protection with API keys is usually sufficient. For external or critical APIs, a more secure approach, like OAuth, will be required.
Ask yourself these critical questions:
- How do we control access to our API?
- How do we capture metrics and handle alerts?
- How should spikes in usage be managed?
- Who is responsible for API uptime?
- How do we feel about undesired API usage?
Without measuring the effects of our efforts we have no way of evaluating our success. Analytics provides data about API activities but we still must provide a definition of success. When defining success in your organization consider these 5 key performance objectives for APIs:
- Dependability. Dependability is the availability of the API to developers. A useful metric for measuring dependability is downtime. Is the API always available for use? Another metric is quota which defines how many API calls can be made by a developer within a certain time frame. A quota protects an API from abuse and makes its management more predictable. Some API providers’ business models and price plans are based on quotas.
- Flexibility. Flexibility refers to the options developers have when adopting APIs. Greater flexibility in an API means greater effort (and cost) for the organization managing the API.
- Quality. Quality is the consistent conformance of the API’s behavior to developer’s expectations. It is a way of measuring developer’s satisfaction with the API.
- Speed. Speed can be measured by access latency and throughput. Speed can be influenced by techniques like throttling or caching.
- Cost. The goal of measuring cost is to provide developers with the best value for your money. All of the other 4 objectives contribute, in one way or another, to the cost objective.