Essential elements of an API strategy – IBM Developer

Build cloud-native applications for regulated workloads with IBM Cloud for Financial Services Learn more

Archived | Essential elements of an API strategy

Archived content

Archive date: 2019-08-30

This content is no longer being updated or maintained. The content is provided “as is.” Given the rapid evolution of technology, some content, steps, or illustrations may have changed.

To thrive in the API economy, you need to strategize your API approach and create, run, manage, and secure your APIs. With this dedicated focus on APIs, your company can share data and services in an easy-to-consume format. It can also create an ecosystem of partners and third parties that is much greater than the ecosystem you reach by using traditional channels. An effective API strategy treats an API as a business product with a well identified lifecycle, target market, and metrics for return on investment (ROI).

This article is geared to API developers, architects, and product managers. You learn about the essential elements of an API strategy, including the key stakeholders, their needs, and how IBM® API Connect can help to meet those needs. You see how API Connect goes beyond the limits of an API management platform, allowing your organization to not only manage and secure its APIs, but to also create and run them. Finally, you see how quickly you can get started with API Connect.

The foundation of an API strategy

To gain a better understanding of the foundation of an API strategy, you need to consider who is involved and what capabilities of an API they want to use.

The lifecycle of an API involves a wide range of stakeholders. This article examines the following key roles:

  • Application developer. This person is the consumer of an API. The application developer might work for the company that is exposing the API or work for a business partner of that company. Or, this person might not have any previous relationship with the organization that owns the API.
  • API product manager. This person is responsible for defining various facets of the API, including the roadmap, target audience, monetization strategy, and lifecycle.
  • API developer. This person has a broad IT role that entails creating the API and exposing the IT assets of the organization.

The following figure illustrates how each of these roles contributes to the API strategy.

Contribusion of stakeholder roles to API strategy

From both a business and technical point of view, the nature and type of capabilities that are exposed by an API can also cover a broad spectrum. However, from an architectural point of view, you can classify APIs into two groups:

  • System APIs. These APIs expose core back-end systems capabilities. They usually trigger generic, process-agnostic activities and tend to target application developers who are internal to the organization.
  • Interaction APIs. These APIs support more use-case-specific functions. Their implementation often aggregates and filters calls to system APIs. The interfaces are optimized for ease of consumption and tend to target mobile devices or consumers who are outside the boundaries of the organization.

The following figure illustrates the differences between system APIs and interaction APIs.

Differences between system APIs and interaction APIs

API Connect goes beyond API management. It includes an application platform to create and run microservices. That is, you get an integrated set of tools to create and run both the secure access points and the application logic behind it.

How API Connect supports your strategy

IBM API Connect addresses the needs of all stakeholders in your API strategy and across both system APIs and interaction APIs.

For the application developer: Self-service API consumption

Consuming an API in a self-service manner is key for widely adopting that API. The concept of self- service consumption is different from the concept of free-for-all consum ption. A viable API strategy must be based on a holistic approach that balances ease of use with strong security and governance.

To achieve this balance, IBM API Connect Developer Portal, which is a single web portal, supports the application developer on all dimensions of self-service consumption of an API:

  • Discovery: In the Developer Portal, you can search for an API and read its documentation. You can read the reviews of other users and access blogs and Twitter feeds to gain a well-rounded understanding of how the API is used in the field.
  • Subscription: When you subscribe to an API, you receive a set of credentials (an API key and secret) that identify your application with the API provider and grant you access. You can also renew your keys if their confidentiality becomes compromised.
  • Implementation and Test: From the Developer Portal, you can access code snippets that implement, in multiple languages, the few lines of code that are required to start the API. You can also generate sample input data sets, or use a built-in web client, to trigger the invocation of the API and verify its behavior.
  • Capturing usage metrics: After the application is in your users’ hands, you can analyze API invocation metrics, such as invocation rates, latency, and data traffic.
  • Support: The Developer Portal gives you access to the user community with dedicated forums. And, you can open and track tickets for the API provider support team.

For the product manager: API product publishing, management, and analytics

APIs are not used in isolation. The agreement with the consumer goes beyond a simple list of inputs and outputs. For example, you might have an application that initially called an API a few times per minute. But, when the application becomes widely adopted, it starts to generate a load of many thousands of transactions per second. You might ask: Is that type of load still supported? Who can I contact if I need more information? What are the license terms of the API that I am using?

All these aspects are wrapped into the concept of an API product, the entity at the center of the management aspects of IBM API Connect. An API product includes a set of APIs that are related to each other, typically because they are used together or provide alternative ways of performing the same action. It includes references to license terms, terms of service, and contact details. An API product also defines plans that describe entitlements to the consumption of the API, or rather the number of calls per time period that you are allowed to trigger.

By using IBM API Connect, product managers can control the activities that are involved in bringing an API product to market and managing its lifecycle after it is in use. API Connect has the following core activities:

  • API product publishing: You can define the group of application developers who will subscribe to and use the API product. You can also make the API endpoints available for invocation and publish their documentation on the developer portal.
  • API product subscriptions management: You can decide on the type of control want over the API. You can have fine-grained control, which means you decide whether to approve every subscription request. You can have restricted control, in which you authorize application developers based on their organization. Or, you can make an API completely public. If any subscription is misused or a product is retired, you can revoke the subscription.
  • API product lifecycle and version management: You must carefully manage the retirement of an API product or its migration to a new version because of the potential for costly impact on application developers. Alternatively, running multiple versions of the same capability creates excess use of resources for product managers and their IT organizations. API Connect addresses these challenges by facilitating the communication between the parties that are involved in the process and providing choices of proven transition paths. When you release a new version of an API, you have the following options:

    • Make multiple versions available, and manage the lifecycle of each one independently.
    • Deprecate the old version when a new one is published.
    • Retire the old version when the new one is published.

    API Connect supports all of these options. If an API is deprecated, the solution prevents new subscriptions, while it continues to support invocations for existing consumers. If the old version is retired, API Connect will manage the migration of subscriptions. You can also define the approval levels that are required to move an API between lifecycle states so that changes are properly reviewed. You can then use the developer portal or email communications to recommend migration paths and timelines to the application developers.

  • API analytics: Having hard data on how APIs are used by their consumers is vital to quantifying the return on investments, predicting trends, and identifying opportunities. API Connect captures information about every API call and it feeds it into a powerful analytics engine. From this engine, you can obtain metrics and visualize data with prebuilt or custom queries.

For the API developer: An end-to-end integrated environment

From a technical point of view, an API implementation consists of two core elements:

  • Secure access point, which runs on an API gateway that enforces the policies that are associated to the exposure and consumption of the API, such as authorization rules and call rate limits
  • Application, which implements the business logic of the API

As illustrated in the following figure, the API gateway enforces access control, while the business logic of an API can run on a microservice or an existing enterprise system.

Diagram of API gateway enforcing access control and API business logic running on a microservice or enterprise system

When API developers create system APIs, they expose logic that is already implemented in existing applications through a new secure access point. However, for interaction APIs, they need to create new functions, building both the access point and a new microservice with the required application logic. IBM API Connect represents a significant shift from previous versions of IBM offerings that used to focus on only the security and management aspect of an API. API Connect goes beyond API management. It includes an application platform to create and run microservices. That is, you get an integrated set of tools to create and run both the secure access points and the application logic behind it.

In particular, the API developer can use:

  • A Swagger editor and policy assembler to define the API and specify security constraints, invocation rate limits, routing, data, and protocol transformations.
  • LoopBack® models to implement the business logic of the API. LoopBack is a Node.js open source framework that was created by StrongLoop, an IBM company. It is effective for API development because it embraces, from the ground up, the core concepts of REST. Its core application construct, a model, is a representation of the business entities that you want to expose, such as a customer or an account.

When you define a model and its attributes in business terms, LoopBack automatically generates all the REST endpoints to enable a consumer to access the entity and make them available on the API Connect Swagger Editor. This way, they can be secured and configured as part of an API product. Models encapsulate both business logic (such as implementing the filtering or aggregation of multiple, fine-grained system APIs) and data, which is usually persisted in enterprise systems of record. The API developer extracts access to these external resources, ranging from a database to an external service or event bus, by using a connector framework that exposes the data sources through a set of consistent interfaces. You can find a lot of examples in the StrongBlog from StrongLoop.

You can define all artifacts by using either the graphical user interface or command line interface to suit both novice and advanced users. Then, you can easily integrate these definitions into your existing DevOps tool chain.

Because API Connect includes a choice of runtimes, you can run the different architectural elements of an API implementation on the most suitable platform.

You can deploy the access point and its policies on the following gateways:

  • Edge Gateway. An enterprise scale secure gateway that provides a public access point to your APIs
  • Micro Gateway. A lightweight Node.js gateway that supports testing or providing routing and logging for a single application

On the application side, API Connect provides entitlements for two types of runtimes:

  • Node.js to run LoopBack applications
  • Java® Liberty to deploy Java components

Node.js has emerged as a platform that is known for its successful implementation of mobile back ends (a use case for interaction APIs). However, many organizations want to continue to use the wealth of Java assets that they own or can access, both in terms of technical libraries and development skills. By having a choice of runtimes, you can place workloads with different characteristics on the most appropriate technology.

An in-depth analysis of the characteristics of Node.js versus Java goes beyond the scope of this article. However, the asynchronous nature of Node.js makes it best suited for applications that coordinate access to many external resources. And, the threading model of Java makes it efficient for CPU-intensive workloads. If you choose to run both Node.js and Java, you don’t have to worry about the complexity of managing different environments. API Connect gives you a single dashboard to manage and scale the runtimes, regardless of their nature.

The principle of choice with consistency is also valid for the deployment model of the solution. You can install all API Connect components on-premises or on a third-party cloud. Alternatively, you can consume them as a managed service on IBM Cloud. You can experiment with them at no cost and sign up for a subscription plan that enables you to gradually expand your API footprint without needing a large investment up front.

Get started with IBM API Connect

APIs are about more than just creating new interfaces with your existing systems. They are the backbone of your digital transformation and bring new opportunities from both a technical and management perspective. This article explained how IBM API Connect provides a complete solution for you to not only secure and manage your APIs, but to also create and run the new business logic that is required by your digital channels.

To get started with IBM API Connect and learn more about the technology, see it in action by watching the following demo videos:

Then, try it at no cost on IBM Cloud, and download the API Connect Developer Toolkit.

Download API Connect service.

Download API Connect Developer Toolkit.

Plus, see the related topics for more resources. To discuss how API Connect can help with the specific API solution that you are building, contact me by sending an email message to