Red light, green light: The importance of good API management

Modern enterprise applications depend on APIs. They simplify linking line-of-business services to mobile apps, they let you build third-party cloud services into your business, and much more. With APIs, a field service engineer can run an app on a smart device that’s using your in-house warehousing system to deliver parts to customers managed by Salesforce, while navigating them to a customer site via Nokia’s Here.

APIs make it easier to build complex applications, encouraging a new generation of “quick fix” and custom apps that run alongside larger systems — and not just professional developers are building those new tools. With users developing their own apps, it’s important to control access to your APIs, as well as to third-party APIs for your users.

API management tools let you control and version APIs, as well as stipulate users’ level of access. Such tools as Microsoft’s Azure API Management, Apigee’s Edge, and Intel’s Mashery are gateways between APIs and developers, mediating connections and handling service authentication.

With these tools, you can set up different levels of access for different classes of users and applications, treating APIs as services. High-priority users and applications might get “gold” service, with unlimited calls and higher bandwidth, while users building their own apps get “bronze” service, limiting not only the number of calls per hour they can make, but also locking them down to read-only access.

Protecting your API assets

With broader usage comes greater exposure. API-driven visual development tools are increasingly common, for example, and while they extend the reach of business applications, they add new risks. Perhaps an API will end up more popular than expected, or a service will turn out to be used externally when it was intended to be internal only.

Risks like these can be reduced with API management tools that add quotas and rate limits, limiting the number of calls an application or user can make to APIs. Without some form of throttle, it’s easy to imagine a rogue application overloading an API, accidentally causing a denial-of-service attack on key business systems. With a quota in place, an app can make only a limited number of calls, keeping your service safe.

Of course, you can also block certain apps from calling certain APIs completely or permit access only from internal IP addresses or through a VPN.

Most API management tools also add an audit trail. Perhaps you’re linking an internal application to Salesforce or Workday and want to ensure the data is stored correctly. An audit log of API calls (complete with data) can be compared with the data stored on a cloud service, for example. Effective audit logs aren’t only for debugging your code, they’re also key to ensuring you’re compliant with business regulations. You can use them to track possible data loss and to lock down services if you suspect an intrusion.

There’s another benefit to using tools like these: They let you add policy-based management to your APIs. Setting up API service plans is all very well, but you don’t want to have to add users to plans by hand. Integrating policy-based management with your corporate directory simplifies the process, enabling you to, say, automatically add developers to a group with access rights to all APIs, while limiting sales access to specific services using external APIs.

Microsoft’s Azure API Management offers an additional feature: The ability to translate older-format APIs to modern technologies. Using its translation tools, you can convert existing SOAP (or similar services) from XML to RESTful JSON, so your developers can use the latest generation of development tools and platforms, giving a significant legacy technology investment a new lease of life.

Monitoring external APIs

There’s more to API management than controlling access. If you’re building apps that depend on third-party APIs, it’s important to know exactly how those APIs are behaving — if only to be able to inform users of outages.

Tools like APImetrics’ cloud-hosted API monitoring service allow you to understand how the services you’re using operate, with a snapshot of current performance and, more important, a historical record. By embedding its probes in cloud infrastructure, APImetrics can monitor API performance across geographies and different networks. There’s even the option to simulate service operations by testing APIs in sequence.

APImetrics’ historical record is an important tool, as it lets you understand how an API behaves over time, helping you manage service-level agreements with API providers. Where things get more interesting is in the option to drill into API payloads. There, you can see if a malformed JSON response is causing problems, for example, even when the API reports that all is well.

Think of a public API as a consumer-facing Web application: If it’s not on your network, then you are crossing the public Internet and subject to commensurate performance constraints. Most services monitor only their own endpoints. Being able to report performance from various points across the Internet helps in SLA negotiations and in getting the support you need for your applications.

As dependence on APIs increases, API management needs to be a key element of any enterprise architecture. API management tools provide much of the controls you need, but ultimately, the hard work lies in identifying your most important internal and external API assets and developing effective policies.