Why we need APIs (and APIs need us too)

APIs connect. A fundamental component of the new neural network, the fabric and interwoven composition of the modern cloud and web, application programming interfaces (APIs) have become the backbones (figuratively and literally) of connected applications and services.

Written with a defined syntax and structure, APIs forge links between applications, smaller application components, application services, or higher-level operating systems.

When ride-sharing company Uber needed a map interface to create location-based representations of cities, streets, and towns, it didn’t create a map service — it plugged into Google Maps because Google had “exposed” its API to use by approved external third parties. holiday service. Hence, a preferred API example was born.

If you API they will come

But just because an organization, technical group, cloud service provider (CSP), enterprise technology provider, or other creates an API, doesn’t mean its existence doesn’t guarantee the connection itself. There is no magic if you build it (code it), they will come here.

Deeper into this point, when someone creates an API, we need to start thinking about who or what machine is connecting to it. Philosophically, one could say that if an API exists but no one and nothing connects to it, then does it really exist in the first place? Conversely, if an API benefits from mass connections, can it handle that pressure and is it designed to scale appropriately for the job?

The truth is, an API maker never knows where their API might end up being used.

“Keeping track of who is using your API is key to improving performance and next-step innovations — and the easiest way to do that is to add authentication. Adding API authentication helps prevent abuse of created services, and also gives us a way to uniquely identify each application that calls our API endpoints,” said Michael Heap, Director of developer experience, Kong Inc, the cloud native API company.

For API mechanics and software engineers who now work as dedicated gurus in this space, there are several different options available for authentication.

This is where technologists like to use the term “lightweight” (meaning a small code footprint, but enough software to do the job), which in this case could imply lightweight API key authentication, where the caller from the API (i.e. Uber in our example above…or any other hook-up app or service anywhere in the world) sends a random string in an authorization header. More asymmetric complex authentication methods also exist in order to add more security.

API Authentication Equals Control

“As part of an enterprise organization, software engineers may need to restrict access to specific people by integrating with an identity provider through OpenID Connect,” Heap explained. “But no matter which authentication strategy an organization chooses, the result is the same – systems will be protected from anonymous abuse. This means that the business will know who is using their API and can better understand usage patterns and begin to improve the service that the API exists to provide in the first place.

As a company that works specifically in this space, Kong’s team says that once a company knows who’s calling their API, they can start digging deeper.

Questions to ask will include if (for example) 75% of the traffic an API sees comes from a single consuming source, i.e. another organization or a web service? If an organization is creating an API that spans a number of different endpoints, why does one particular company ignore 90% of what’s on offer and only call one endpoint? ending or two? Or to take it a step further, are most errors returned by an API sent to people in a specific industry?

“By recording incoming request endpoints and returned HTTP code, an organization can start to get a sense of how people are using their API. If you have an endpoint that is very expensive to maintain and less than 10% of customers use it, should you consider dropping it? Identify your top consumers and start a conversation with them. Ask them why they use your platform and what their top use cases are” , Heap said.

The suggestion here is that this process could open up new opportunities in specific industries as the organization learns what the pain points are in terms of customer and partner API connections – this can pave the way for specialized APIs to capture flows common work.

Make it self-service

Nothing discourages users of a service more than having to request access and wait for it to be approved. When this happens, they have usually found an alternative and implemented what they need, even before their application is considered. By using an API developer portal, an organization can provide API documentation in a format expected by consumers, such as OpenAPI. This can be public or require developer registration to access (as long as there is no approval process).

“These portals can also handle app registration, where developers create an app and generate credentials without any interaction with another person. This provides self-service credential management, which is essential when building integrations to be used in multiple environments, such as staging and production. Many leading API companies such as Twitter, Stripe, and Slack provide a self-service developer portal to help consumers get started as quickly as possible,” Kong’s Heap said.

Unfortunately, not all consumers of your API will behave well. Not from a security perspective per se, but in terms of the frequency and accuracy of API calls that are made. Sometimes there is malicious intent, but most of the time an API misbehaves, it’s because the service calling it doesn’t know better and therefore calls an API too frequently, or sends malformed requests or payloads too large to process.

Dealing with malicious consumers of course takes time. In this scenario, Heap advises organizations to implement strategies such as “rate limiting” to manage request volumes (and share the number among multiple instances of an application).

“When this happens, IT teams need to implement strict validation rules and sometimes configure your HTTP server itself to reject large requests to protect your application,” Heap said. “Building all of these features takes time. Due to recent economic shocks and the scarcity of talented developers, this represents time and resources that your organization cannot afford to spend, rather than improving your APIs to serve your customers. »

Get everything for free

But what if you could protect your APIs with free rate limiting and validation? What if someone else could provide a developer portal with self-service credential generation? What about usage analytics broken down by consumer? This scenario actually already exists through projects like API Gateway Authentication, which is full of authoritative content.

“Implementing an API gateway can be done without modifying your application code. The proxy sits in front of your app and adds all the above functionality without you needing to change anything. Being able to modify the behavior of your application without deploying it is even more essential in the cloud age. Your application runs on distributed systems across multiple clouds. It is no longer a single application running on a single server. API Gateways allow you to scale the way you manage your APIs with minimal effort, whether you have 10 or 10,000 deployments,” Heap clarified.

APIs need us humans too

So, back to our philosophical question. If no one uses an API, does it really exist? A bit like a tree falling in a forest when no one is around… does it make noise? Does the useless silent API really exist?

Kong’s Heap says no, definitely.

Unused software components of almost any type that benefit from no user interface keystrokes or clicks, know no connection to software machine engines of any description (whether machines cloud-based virtual or physical hardware pieces in the device universe) and are in no way integrated with (or part of) another live data service that creates the cloud firmament does not exist, effectively.

“One of the main reasons an API goes unused is because it hasn’t been made public. By creating a developer portal to catalog all of an organization’s API offerings and providing a detailed documentation and self-service registration, a business can dramatically increase adoption of their API, and as they gain traction, they can use that same API management platform to ensure security and analysis of its APIs,” concluded Heap.

We need APIs and – perhaps surprisingly, perhaps paradoxically, certainly heartwarmingly – they also need us humans to oversee their stewardship, health and well-being and to define their place in the world. and make it work properly.

The “happiness” of the API is one thing, the clue is in the name, isn’t it?

About Bradley J. Bridges

Check Also

2766 Haats Rural Village generates Rs 17.13 lakh in 7 days

Jammu, November 6: Around 2,766 Village Rural Haats (VRH), established under the Jammu and Kashmir …