API Management Buyers Guide White Paper
What Is an API? The value of your software, data, or other digital assets can be dramatically increased by reaching new audiences. This is possible through the use of APIs, or Application Programming Interfaces. APIs have been used for decades to connect the functionality of one piece of software or data to another. APIs allow you to make your data or software compatible, secure, and easily available to a larger market. Web APIs in particular are more recent and gaining in popularity. Some of the connections made possible by web APIs include mobile applications, software-as-a-service applications, on-premises software (only accessible within the internal organization s network), and IoT (Internet of Things) devices. These connections would not be easy, or even possible, without API management. Why Do I Need API Management? API management gives you control over security, user provisioning/revocation, authentication, authorization, usage limitations, billing, and backend hosting. You also gain the tools needed to enable your API consumers to understand and integrate the APIs into their own applications. An API management platform enables you to provide the front end management, backend hosting and operational support for web APIs. The most important management issue when using an API is security to protect you and your end user s information. The most important management issue when using an API is security to protect you and your end user s information. Security flaws in web APIs have made the news as they become more prevalent. For example, car manufacturer Tesla Motors installed an API on one of its car models that allowed customers to control their car s features using their cellphones. In August 2013 it was reported that third parties could use security flaws in the Tesla API to potentially gain control of the car s automatic locks, change climate controls, flash headlights, and even honk the horn. Good API security measures could have prevented these issues and could have prevented Tesla Motors from negative publicity. If you are interested in making your digital assets available through an API, choosing the right API management solution is critical for secure, managed access to your assets. This paper outlines where to begin your search for an API management solution that fits your high-level strategy, lists the essential buying criteria you can use to evaluate solutions, and provides next-steps and additional resources.
Begin by Defining Metrics, Target Audiences, and Go-to-Market Prior to evaluating API management solutions, you should create a high-level strategy. First, you should think about what your success criteria are for your API. What goals and success metrics will you use to measure your progress against these goals? A critical part in establishing your success metrics is understanding the audience who will be consuming your API, as well as your go-to-market strategy. There are three main API audiences: internal, partner, and public. Internal APIs are meant to only be consumed inside of the digital asset owner s organization. For example, an internal API may enable your organization s salespeople to see inventory from within a private mobile application. Typically, organizations do not charge for internal APIs, although there are cases where usage could be applied to cost center accounting. Partner APIs are created to share information and data with a partner s controlled systems. For example, a supplier s partner API may be used to provide a reseller s sales team with inventory data for the supplier s products in mobile applications. Normally, partner APIs are not monetized, although there are cases where costs could be charged to the partners or the suppliers. Finally, public APIs are developed to be consumed by a much wider community. Provisioning of these APIs can vary from automatic approval of anyone who expresses interest to manual approval, including contract negotiations. These APIs can either be free to use, or the developer (or even end user) can be charged. There are many business models that are used in the case of paid APIs. Another key aspect of your API strategy is go-to-market. Your go-to-market strategy will depend on the goals and audience for your API, but your plan for driving awareness and demand for your API is critical to reaching your goals. Perhaps your API is an overlay to your existing business which can leverage the same go-tomarket strategy that has made your core business successful. Alternatively, your API may be a new product with a new set of customers, so your go-to-market strategy may be completely new. Creating a set of goals and metrics to measure your success towards these goals is the first step in choosing an API management solution. Once your strategy is outlined, you can use the following set of buying criteria to find a solution that fits your needs. Buying Criteria The API management market is rapidly evolving with a variety of vendors and products. Some vendors have come from the service-oriented architecture (SOA) space and morphed their solutions into more general API management solutions. Others are focused around building commercially-consumable APIs as a key foundation for your business covering operational and business models comprehensively. Some solutions are geared towards a low cost-higher effort customization. In the interest of an unbiased approach, this guide will not include specific vendor recommendations. Instead, it provides a set of criteria that will enable you to hone in on the solution that best meets your business needs. These criteria include hosting, provisioning,
business model support & billing, technology support, security, and developer enablement tools. If you have any questions or comments on any of these criteria or any recommendations, please do not hesitate to contact StrikeIron, Inc. via the contact information listed at the end of this paper. Hosting One of the first questions you need to answer, even before you consider API management vendors, is where you are going to host the data and/or software that will be producing the API. These are the four basic API management models: API Management and Back-End-as-a-Service Model Profile: This is the most complete API management solution. The API management vendor is fully responsible for hosting both the endpoint (where the end user accesses the API) and the infrastructure with the back-end data or software for the API. Benefits: A turnkey solution to create and manage an API without having to invest in the operational burden of providing 24/7/365 support, managing scalability, and other functions. Risks: Finding a vendor you can trust to maintain your API infrastructure reliably. Cloud Proxy / Façade Model Profile: The user endpoint for the API is hosted in a public cloud environment and managed by the API management vendor. The user endpoint API then calls your internal API that you are responsible for hosting. Benefits: If you already have an unmanaged API, the time to market for a managed API is very small. Risks: Puts the burden of managing the API infrastructure, including uptime, scalability, and support on you. Gateway Model Profile: You onboard and host the API management platform in your existing infrastructure. You will be responsible for all user endpoints as well as full operational support of the API end-toend. Benefits: You control the entire API infrastructure. Risks: Hosting and controlling the entire API infrastructure is a large operational burden. Instrumented Model Profile: You are responsible for hosting the API, the user endpoints and instrument your code for callouts to the API management vendor for operations like authentication and usage tracking. Benefits: You control the user endpoints. Risks: You manage the API infrastructure while also being exposed to potential downtime issues from the API management vendor. Another downside is that you have to modify your source code, typically in many places, for full support.
Provisioning Provisioning users with access to your API is a critical task that, depending on your strategy, may behave in different ways. (The same is true for revocation of users.) For example, you may want to provision API consumers automatically for a free, limited trial, and then later require your sales or sales operations team to sign them up for a paid subscription. Alternatively, you could require approval for each API consumer. You may even want to enable an e-commerce self-service type of environment for your API consumers, so they can purchase paid subscriptions. Provisioning can also occur from a management portal or via an API that is integrated into your CRM, ERP, or other systems. The API management solution you choose should map to your strategy while providing the flexibility to support a wide assortment of provisioning options. The API management solution you choose should map to your strategy while providing the flexibility to support a wide assortment of provisioning options. Business Model Support and Billing If you want to monetize your API, support for different business models will be a primary consideration. You should create a hypothesis about the business model(s) you plan on supporting when creating your API strategy, but make sure to choose an API management vendor that supports a variety of models. The models that resonate most with your customer base may not be what you initially expected. Commercial APIs are typically monetized with one or more of the following business models. In arrears / pay-as-you-go At the end of a time period, typically a month, the customer is billed for usage. Monthly The customer is billed monthly for either unlimited usage or based on a subscription tier (e.g. 1,000,000 API calls per month). Annual The customer is billed annually for either unlimited usage or based on a subscription tier (e.g. 10,000,000 API calls per month). Bucket The customer buys a bucket of transactions that they can consume over time. The bucket may or may not expire. Each model can have an overage amount that is applied at a different rate. Additionally, each model will have to support different prices for each customer, subscription tiers, etc. A freemium model (providing free access but charging for advanced optional features) can be layered on each of the business models above.
Finally, some APIs are monetized using more traditional business models like servers used or perseat licenses (the number of individual users in a single account), along with other options. While there are other types of API monetization models, most fit into those listed above. In addition to the business models, you will need to be able to bill for the API usage. Typically this is done with either credit card transactions or direct invoicing. Your selected API management solution should be already equipped to support flexible billing options. API Technology Support There are a variety of standards for calling web APIs. There are four main terms to be familiar with when evaluating the types of APIs that an API management solution supports. XML (Extensible Markup Language) One of the two common document types that are used for calling and receiving data with web APIs. Both SOAP and REST support XML (see below). Unless you are completely sure your customers will not want SOAP or XML, it is best to select an API management solution that includes native support for REST, SOAP, XML, and JSON. JSON (Javascript Object Notation) The other common format for exchanging data with web APIs. JSON is only used with REST, not SOAP which is entirely XML-based. REST (Representational State Transfer) A very popular method for implementing and calling web APIs that can use both XML and JSON. Its design goal is to parallel resource-based web pages with a limited, standardized set of operations called verbs. The URI (web address, or Uniform Resource Identifier) is typically used to specify the verb and resource. SOAP (Simple Object Access Protocol) Another popular way to implement web APIs. It is dependent entirely on XML and is more flexible in defining a collection of methods. The downside: It is more complex and results in more data transfer, which is a disadvantage for environments with slow or restricted data transfer like mobile networks. SOAP toolkits exist for most popular programing languages to streamline developer implementation. Although REST and JSON are getting the most attention right now, there is still a population of developers that are more comfortable with other common standards like SOAP and XML. Unless you are completely sure your customers will not want SOAP or XML, it is best to select an API management solution that includes native support for REST, SOAP, XML, and JSON. This enables you to implement your APIs with each variant to streamline integration. Security Security is critical to any API. As APIs become more and more commonplace, API hacking will soon follow. Ensuring a secure API involves two main areas: User endpoint security and infrastructure security. The first (and simplest) rule of user endpoint security is that all user endpoints are called via
HTTPS. This encrypts all traffic over the Internet. While simple, some API consumers ignore this very simple security mechanism and send their information on the Internet unencrypted. There are a variety of security paradigms in place for API calls, including implementation of UserID / Password combinations, license keys, and OAuth. OAuth is gaining popularity due to the extensibility for use in new scenarios where users are allowing applications to interact with their accounts on social networks. For example, if you have given an application like bit.ly, Hootsuite, or many more the ability to post to Twitter or Facebook for you, you used OAuth. All authentication and authorization alternatives have their positives and negatives, so choosing a platform that supports several different mechanisms ensures the most flexible alternative. With the exception of the API Management and back-end-as-a-service model, the burden of infrastructure security rests on you. This means you must make sure your infrastructure is safe from hacking, including SQL injections, open port exploitation, Distributed Denial of Service (DDoS) attacks, and many other security holes. Developer Enablement Developer enablement is critical in getting API consumers to discover and integrate your API, in turn making your assets more valuable. The tactics and tools needed for developer enablement depend on the API audience you are addressing. For example, good documentation, sample source code, and API exploration tools are likely sufficient for internal and partner APIs where the audience is small, controlled, and limited. With public APIs you should make sure your API management vendor knows API adoption and go-tomarket, so they can help you get the most valuable adoption possible for your API. At a minimum, the developer enablement solutions should include: Tools to build a customer portal, including providing customers with visibility into their current API access, subscriptions, and account information; and either gated or un-gated access to developer-enablement toolkits. Sample source code in languages relevant to your audience. Interactive tools to test the API without writing code. Documentation to streamline API adoption. Registration support. Next Steps in Your API Journey The sections in this paper should help you both formulate your API strategy and choose the one solution that best meets your needs. Each vendor s solutions, including StrikeIron s IronCloud platform, has its positives and negatives. As you develop your strategy, you may also want to review the whitepaper Developing, Deploying, and Delivering Web APIs. If you have any questions on getting started or selecting the right API management platform, drop us an email at info@ or +1 919.467.4545.
About StrikeIron StrikeIron serves customers around the world by delivering an end to end API Management cloud platform, IronCloud, and data-driven API solutions. We provide email verification and hygiene, address verification, phone validation, phone append, SMS text messaging, and sales tax solutions to organizations in a variety of markets. StrikeIron solutions are delivered as Web services that can be easily integrated into any application or system. Additionally, our solutions are pre-integrated into leading platforms like: Magento, Marketo, Eloqua, Salesforce.com, Informatica, Oracle CRM On- Demand and more. Visit us on the web at www.. COPYRIGHT STRIKEIRON. ALL RIGHTS PROTECTED AND RESERVED.