AMS

API Management

Problem Statement

When we start developing APIs for our applications which are for both internal and external use, the information about these have to be shared within the developer and the user community. Along with the information about the API, the need to control, monitor access to the exposed APIs is required. As the number of APIs increase, it becomes difficult to exchange, maintain the APIs, and there is a need to maintain these systematically through processes, tools specifically designed to manage APIs.

Consider few cases:

  • Without API management each developer would have hardcoded the API access point and all the calls related to it in the code. Changing a simple thing as the API URL causes a lot of issues, not only for the API owners / developers but also for the business owners / end users who rely on them. If API is attached and accessed via API management, the backend API call URL and anything related to it can be hidden from the API consumers. API itself can have whatever URL and it will always stay the same for API consumers.
  • With the help of API management the API providers can change API backend implementation / location without disturbing developer productivity, end users access / business.

What is API Management?

API management is a set of process, tools which allow an organization / developers to maintain this information, manage access to their APIs, maintain versions and controlled release of these.

It provides the API developers to:

  • Provide the information about the APIs, documentation
  • Versioning, support for older versions
  • To design, publish and deploy the APIs
  • Provide secure access, apply security policies
  • Manage the access control, maintain API store
  • Monitoring the access / usage, usage limits
  • Analytics to understand the trend, most commonly used APIs
  • Generate various reports of API usage to understand, improve

API management software is built with the intention of making API design, deployment and maintenance easier and more efficient. Although each individual API management tool has its own unique set of features, most of them include essential features like documentation tools, security, sandbox environments, high availability and backward compatibility.

Implement / Enable API management

API management software can be built in-house or purchased as a service through a third-party provider. The open API movement (earlier known as Swagger Specification), spearheaded by big-name companies like Facebook, Google and Twitter, led to significantly reduced API dependency upon conventional service-oriented architecture (SOA) in favor of more lightweight JSON and REST services. Some API management tools are capable of converting existing SOAPJMS or MQ interfaces into RESTful APIs or JSON content.

Some of the API management platforms:

  • 3scale API Management
  • Akana Platform
  • Apigee
  • Azure API Management
  • TIBCO Mashery
  • MuleSoft
  • WSO2
  • Amazon Web Services (AWS) API Gateway

Comparison between various API Management platforms

3scale Widely used API management solution. This is available under commercial license and can be deployed as on premises and on cloud. Suitable for startups, mid-sized or enterprise applications
Akana Has all the benefits of API management features with strong analytics and UI based API design platform for developers. This is available under commercial license and can be deployed as on premises and on cloud mainly for enterprises
Apigee Widely used and spread API management solution with hundreds of customers. Offering widely analytics capability, developer community. Supports Swagger specs. This is available under commercial license and can be deployed as on premises and on cloud mainly for enterprises
Azure API Management Recent compared to other platforms. Can be called as the complete set of solutions for API management. This is available under commercial license and can be deployed as on premises and on cloud.
TIBCO Mashery Can be called as the complete set of solutions for API management. Supports Docker and Swagger 2.0 specifications. This is available under commercial license and can be deployed as on premises and on cloud
MuleSoft Based on open source technologies with large developer, user community. A unified solution connecting SOA, SaaS and APIs. This is available under commercial license and can be deployed as on premises and on cloud.
WSO2 Can be called as the complete set of solutions for API management. This is available under Apache license as an open source platform. This is available under commercial license and can be deployed as on premises and on cloud. Suitable for both startups and enterprise applications
AWS API Gateway Cloud based platform which works as pay-as-you-go service. Using the API Gateway console, APIs can be defined, managed, SDKs can be generated for clients. Suitable for startups, mid-sized or enterprise applications

Spring Boot – Swagger

As we know that spring boot supports development of components which are apt for micro services, as the components are loosely coupled and can be run independently. The various RESTful APIs developed with spring boot can be well documented, presented, modeled and tested with Swagger integration. Swagger provides the ability to design the model, create UI to test the APIs, generate code (to provide SDKs) in various languages to be used by the API end users.

The springfox-swagger2 and springfox-swagger-ui dependencies in a spring boot application can be used to generate the API docs and UI for testing the REST APIs

Case Study: Implemented 3-scale authentication for Marketplace API for a large Product Data Management company in USA

The marketplace provides two APIs for item “search” and “fetch” for end-users. The authentication is provided by 3-scale application id (as user id) and secret key (as password) for the end users to access the APIs when they register for it. The end users make the call to the API by securing and passing the application id, HMAC hashcode generated by signing the request parameters of the URL with the secret key provided by 3-scale to them. All the calls are done through 3-scale, which authenticates the user by verifying the application id provided by it to the users to gain access to the marketplace APIs. Once the call is authenticated the secret key is passed by 3-scale as request header in a secure manner to the backend marketplace service. The backend marketplace service re-computes the HMAC hashcode and verifies with the one passed in the request by the end user. If the hashcode match, the call is allowed else denied. Since all the calls to the marketplace APIs is through 3-scale, the authentication of the call, monitoring, usage limits are all handled by 3-scale.

Conclusion API management is essential to exchange, maintain, and control the API information between the B2B systems as well as Marketplace services provided to developers consuming the APIs.

Amar Patwari

About the author – Amar Patwari

Amar Patwari has done Graduation in Electronics and is a Sun Certified Java programmer. He has over 15 years of experience in design and development of Enterprise Systems in Retail and Finance domain. He holds great interest in latest technologies.

Leave a Reply

Your email address will not be published. Required fields are marked *