[APIdays NY] Managing the usage of Asynchronous APIs: What does it take?
- 1. Managing The Usages Of Asynchronous
APIs
July 29 2021
Sanjeewa Malalgoda
Software Architect/A. Director
- 3. ● Why Asynchronous APIs?
● Asynchronous API usages and applications.
● API Management for asynchronous APIs.
● Asynchronous API management challenges and solutions.
3
Agenda
- 6. ● View your account balance.
● Transfer money from your account via mobile application.
● Place order through e-commerce application.
● Search about something on the web.
● Upload your picture to social media.
6
Usages of synchronous APIs
- 8. ● Additional network calls between client and server.
● Processing in server and client for each additional call
● Some researches found <5% new results coming through polling.
● Poor user experience.
● E-tags only solves part of the problem.
8
Polling?
- 10. ● Receiving notifications about someone's reaction on your social media
account.
● A new message notification on your mobile device.
● Liquidisation reminder from your trading application.
● Live location/schedule updates in transportation scenarios.
● Live sports score updates.
● Video games.
● Updates when 2 people works on same online document or issue.
10
Why Asynchronous APIs?
- 12. ● When to use asynchronous and synchronous APIs?
● Selecting implementation for your asynchronous API.
⦿ WebSockets - multiplexed, bidirectional streaming and for applications that need a
huge amount of messages from both ends of the connection.
⦿ MQTT - for IoT devices with limited battery life.
⦿ Server-Sent Events - especially useful in browser client applications
⦿ Webhooks - pushing notifications to one or a small number of servers.
12
Choose Synchronous/Asynchronous
- 13. ● Standardize asynchronous API design and documentation.
● Protocol agnostic API definitions.
● Tools support for APIs( document generation, client, SDK generations etc.)
● Address EDA specific requirements.
13
AsyncAPI Specification
- 15. The API Product Lifecycle
Building
● Building your API.
● Different technologies - REST, SOAP,
GraphQL, gRPC, Events, etc.
Assembly
● Integrating systems and services to build
APIs.
Packaging
● Packaging APIs to form products
● Creating documentation
● Associating business plans
● Categorization
Delivery
● API Platforms (Marketplaces)
● Catering to demand
Automation
● API Automation techniques
● CI/CD and delivery pipelines
API Product Lifecycle
- 16. ● API Management related QoS applicable for asynchronous APIs as well.
⦿ Unify API development and subscription experience across protocols.
⦿ Authentication and authorization
⦿ Rate limits and throttling
⦿ Usage data monitoring and alerting
⦿ Business insights
⦿ Conformity scans
16
Asynchronous API Management
- 17. Event Driven API Management -
https://github.com/wso2/reference-architecture
/blob/master/event-driven-api-architecture.md
- 18. ● API developer and API product manager roles are already established within
organizations.
● Most of the organizations adopted design first API development methodology
for new APIs.
● API developers usually prefer to use same platform they used for
synchronous(REST) API development.
● API consumers prefer one API consumer portal or marketplace.
18
API Management Platform for both Synchronous/Asynchronous
- 19. ● Different development experiences ( ex websub proxy/hub API creations does
not need endpoint while websocket needs one).
● Users can start API development with API definition (AsyncAPI).
● Asynchronous APIs can have topics while synchronous REST APIs having
resources.
● API development experience (Design > Development > Deploy > Test >
Publish).
19
API Development Experience
- 20. ● API discovering experience
● Subscriptions for APIs with business plans.
● Use API documentation
● Common API store features like comments, rating etc.
20
API Consumption
- 21. ● Different protocols ties to different security mechanisms
⦿ Webhook(hub scenarios) use security mechanisms like verification token, signature
(HMAC), thin payload, mutual TLS
⦿ WebSocket can be secured with standard OAuth with scopes or any other standard
security mechanism.
⦿ SSE can be secured with tokens.
● Security mechanisms enabled for subscriber need to work across different
protocols.
● Handle protocol specific security demands.
21
API Security
- 22. ● Ability to support protocol specific rate limits
⦿ Webhook, SSE API can be rate limit with number of
events transfer within a day or hour along with number
of active subscriptions at any given time.
⦿ WebSocket APIs can be rate limit based on the data
volume transferred.
● Ability to define business plans, rate limiting tiers by
combining multiple rate limiting methodologies.
22
Rate Limiting
- 23. ● Capture right events for API usages
● Capture protocol specific usage attributes
⦿ Ex: WebSocket bandwidth, SSE event
counts, Webhook active user counts etc
● Visualizing collected data in meaningful
way.
23
Monitoring & Alerting
- 24. ● GraphQL allows users to subscribe for the events with attributes list. So they
will be notified with requested content only.
● Ability to intercept messages and filter contents for async API will be plus
point for any API Management system.
● With content inspection capability, upstream service modifications it can be
detect easily and prevent client failures.
24
Content Scanning & Filtering
- 25. 25
Connect with Events Streams
Ability to connect with event
sources directly and expose
them as managed APIs via
different protocols
API Management Layer