The API lifecycle is made up of four stages, which an API provider would iterate through several times as part of an API program: Plan/Design, Build/Integrate, Operate/Manage, and Share/Engage. You can find a more detailed description of the API Lifecycle in the first post, in which we also describe the Plan/Design stage.
API Lifecycle Stage 2: Build/Integrate
After the objectives of the Plan/Design stage are achieved, an API provider can move on to the Build/Integrate stage. This stage entails the real development of the API. This usually means coding an API from scratch, integrating with existing systems, or a mix of both. Based on the paradigms, technologies, or data formats chosen in the Plan/Design phase, this can be more or less complex and time-consuming. Especially for RESTful APIs there is already a plethora of frameworks and libraries available, which help to build such APIs quickly.
Below is a list of frameworks related to popular platforms or programming languages. This list is not ordered and not exhaustive but a quick collection. Let us know your favorite frameworks or libraries for API development in the comments.
Some of these frameworks are very simple to implement. During the API Crash Course workshop – which you can learn more about at the bottom of the post – we use an example from Node.js with Express.js which make it very simple to expose RESTful APIs. The framework abstracts most of the necessary functionality and provides the developer all the necessary CRUD functions and more. You can find this code example on slides 24-25 in the embedded presentation below.
Another extremely handy service related to building and integrating APIs is AppNow. AppNow is especially useful for simple APIs, prototyping, quick and simple proof-of-concepts or demos. It allows you to specify a data model by importing a corresponding spreadsheet or by defining it via an online editor. A couple of clicks later, the data model is deployed in a MEAN environment directly to Heroku, BlueMix, or CloudShare. The deployment comes with an AngularJS frontend and (more importantly) a CRUD RESTful API, that is also fully documented and testable via Swagger.
- APItools provides a more effective way to implement internal and external API services. It allows developers to troubleshoot and monitor API traffic. Developers can also modify API requests or responses and create simple mock-ups quickly. It also offers insights about key indicators of all API traffic.
- Postman is a simple API testing tool, which can be used to fire simple requests at Web APIs and get a good feeling about the behavior of an API quickly.
- Ready! API is similar but offers more sophisticated features such as creating virtualized servers hosting APIs. These virtualizations allow to simulate all sorts of disadvantageous situations like introducing high latency and then see how the API behaves in such situations. This is very valuable input for testing and improving APIs.
- Runscope is also an API testing and analytics tool, which is very easy to integrate. It provides a wide range of customizable testing features including automated testing.
After building and testing (another increment of) your API, the next step is deployment. We run a series of API management crash courses where, for demonstration purposes, we provide a prepared API that is ready for deployment. You can find a description in the slides or directly on GitHub. If you have a Heroku account, you can deploy this API directly there via a 1-button click feature, which we provide directly on this GitHub repository.
That’s it. The API is public, live and ready to be used. But there is a problem: This API is unsecured.
Unsecured API… What’s the Problem?
In the setup outlined above, we have no visibility about any usage patterns of the API. We don’t know who uses the API, when, where or why. We also have no way to manage or control this usage behavior. If someone uses the API maliciously – flooding, unlawful use of data, etc. – we have no means to react. We could also never use the API to support the organization’s business model – e.g., no monetization possibilities.
There are some best practice recommendations about securing APIs. The first recommendation stems from what we described in the first stage, Plan/Design, where we argue that an API ideally is not just a side-project but should be fully integrated into an organization’s strategy. To achieve that, we need control and management functions for the API. For that, the API needs to be secured via access control mechanisms, which can range from low to high security and corresponding implementation complexity.
In addition, the usage patterns of the API should be controllable, e.g., via rate limits. This will make the traffic patterns a lot more predictable and helps when deciding the right server capacities. A final recommendation is to have at least basic monitoring and analytics in place, which will provide a lot of intelligence about the API and help steer the API program in the right direction.
The resources invested in managing APIs and the tools and mechanisms chosen to achieve that depend on the context of an organization and how it uses the API. The API ideally is part of the overall strategy, but within that, the API can play a more or less crucial role in contributing to the business model. If the API is the business model (examples include Twilio), API management is crucial for the success of this business.
These are some of the important aspects to consider related to the Build/Integrate stage of the API lifecycle and for the actual coding of the API. In the next post, we will cover more details related to the Operate/Manage stage and related API management best practices.
About the Crash Course in API Management
As part of our collaboration with Startupbootcamp Berlin, the leading global startup accelerator with a focus on Smart Transportation & Energy, we ran an API Crash Course workshop. The slides are available on SlideShare and embedded at the bottom of this post. In the workshop we introduced the various business benefits of APIs, how these could be leveraged as an organization and gave some examples of successful case studies. In the second part of the workshop, we covered the various stages of the API lifecycle, and introduced best practices and tools for each stage. We will publish details related to each of the four stages of the API lifecycle in a 4-part blog post.
This is the second part of this series. Read the first here.
Below are the slides from the workshop: