SlideShare a Scribd company logo

How to Build, Manage, and Promote APIs

WSO2
WSO2

The document discusses WSO2's API Management Platform, which provides tools for publishing, documenting, securing, analyzing usage of, and monetizing APIs. It highlights key features like API publishing, documentation, analytics, security via OAuth, and a roadmap including additional collaboration and monetization features. The platform is based on WSO2's middleware and aims to provide a minimum viable product in its first release with additional capabilities over time based on user requirements.

1 of 25
Download to read offline
lean . enterprise . middleware WSO2 API Management Platform Chris Haddad VP, Technology Evangelism Paul Fremantle, CTO and Co-Founder Asanka Abeysinghe Director, Solutions Architecture © WSO2 2011. Not for redistribution. Commercial in Confidence.
Business APIs “APIs provide a way to make resources available for internal and external partners to access information and services.”
API Architecture An API is a business capability delivered over the Internet to internal or external consumers • Network accessible function • Available using standard web protocols • With well-defined interfaces • Designed for access by third-parties A Managed API is: • Actively advertised and subscribe-able • Exhibits high Quality of Service (QoS) • Available with Service Level Agreements (SLAs) • Secured, authenticated, authorized and protected • Monitored and monetized with analytics
A note on our development process • WSO2 uses an agile, iterative development process • v1.0 is a Minimum Viable Product • http://en.wikipedia.org/wiki/Minimum_viable_product • Just enough features to allow a subset of users to deploy the system in production • Each further release is aimed at meeting specific user requirements • Not everything we say today may end up in v1.0 • You can follow progress on dev@wso2.org • And by joining the Beta programme (details at the end)
WSO2 API Management Platform
API Store Features
API Publisher Features
API Management Platform Details • Full support for web protocols: • JSON/HTTP(S), REST interactions • SOAP/HTTP(S), XML/HTTP(S) • Non-blocking high-performance HTTP transport handles 000s of concurrent connections • API Key Management based on OAuth2 • Get Key (with or without asynchronous approval process) • Renew Key • Revoke Key • Monitoring and analytics • Latency, Response Time, Failures vs Success, Total Transactions, Transactions by API Key • By user specified time period as well as over the last 1m, 5m, 10m, 1hr, 4hr, 8hr, 24hr periods
API Key Use Case
Understanding the flow • API Publisher adds API into API Manager • [Optionally provides sandbox endpoint] • API Governance / Admin approves publish • … • API Consumer finds API • API Consumer subscribes to API Key • [optional approval process] • OAuth2 Bearer Key issued • [optionally issue both production and sandbox keys] • … • API Consumer application makes a call • API Key is validated • API Key metadata is used to identify: • Throttling / Rate limiting policy • Sandbox / Production endpoint • Event is metered/monitored against the API, Key, IP address, etc
OAuth • “An open protocol to allow secure API authorization in a simple and standard method from desktop and web applications.” • Designed to solve the “LinkedIn/Facebook/GMail” problem • “Valet Key” • http://tools.ietf.org/wg/oauth/
Adding Security with BasicAuth/OAuth
OAuth 2 • What’s wrong with OAuth 1? • Crypto requirements are too onerous • Requires special client side OAuth code • OAuth 2 Bearer Tokens • A simple secret token carried over SSL • Allows OAuth2 keys to be used with CURL and common clients • OAuth2 Bearer Tokens = API Keys • A token that identifies the application calling the API • Separate from the user who creates it • Limited scope to calling one or more APIs • Can be revoked/renewed without requiring a password change for the user • Hence can be embedded in application code • OAuth2 is not yet final, but is stable and implemented • From the perspective of the API client, no “OAuth2” specific code is required • Completely implemented by the API Manager
Improvements to the core mediation engine • The“Gateway” component of the AM is based on our core mediation framework from the ESB • For API Management there are some key improvements: • API model • Rate Limiting per Key • Passthru performance
APIs and Resources
API Syntax <api name="AccountManagementAPI" context="/am"> <resource methods="GET" uri-template="/accounts/{accountId}" inSequence="GetAccountIn" outSequence="GetAccountOut"/> <resource methods="PUT" uri-template="/accounts/{accountId}” inSequence="UpdateAccountIn" outSequence="UpdateAccountOut"/> </api> Note that this syntax / model is internal to the API Manager and the average user will not need to know this. Advanced use cases can take advantage
ESB Passthru Latency compared to previous models
Scalable Deployment Architecture
Scalable Analytics Deployment
Demo Use Cases
Roadmap Summary Q2 2012 Q3 2012 (Planned) (Projected) • API Publishing: • Integration with 3rd party Key Management • Documentation/Samples/SDK/Links to Systems external docs • Integration with 3rd party repositories such as GITHub • Tagging • Role-based views for usage reports • Track consumers by API • User self-registration • View Statistics by API • OAuth2 / OpenID based login • API Subscribing • Additional Collaboration Features • Search - Rate - TryIt - API Lifecycle • Monetization Management - Recommend - Post a review • API Versioning • Manage N APIs via the application concept • OAuth2 based Key Management • Throttling/SLA Limits per API • Integration with BAM for API Statistics • Skinnable UI
Product Timelines • WSO2 API Management Platform (WSO2 AMP) • v1.0 Alpha – April 2012 • v1.0 Beta – May 2012* • v1.0 Gold – July 2012 • v1.5 Gold - September 2012 • v2.0 Gold - December 2012 * We are actively looking for alpha/beta customers to provide insight and validate the product design
Beta Programme http://wso2.com/products/api- manager/
Questions? http://www.flickr.com/photos/oberazzi/ 24
Follow us: http://twitter.com/#!/wso2 Follow us: Contact us: http://twitter.com/#!/wso2 http://wso2.com/contact/

More Related Content

How to Build, Manage, and Promote APIs

  • 1. lean . enterprise . middleware WSO2 API Management Platform Chris Haddad VP, Technology Evangelism Paul Fremantle, CTO and Co-Founder Asanka Abeysinghe Director, Solutions Architecture © WSO2 2011. Not for redistribution. Commercial in Confidence.
  • 2. Business APIs “APIs provide a way to make resources available for internal and external partners to access information and services.”
  • 3. API Architecture An API is a business capability delivered over the Internet to internal or external consumers • Network accessible function • Available using standard web protocols • With well-defined interfaces • Designed for access by third-parties A Managed API is: • Actively advertised and subscribe-able • Exhibits high Quality of Service (QoS) • Available with Service Level Agreements (SLAs) • Secured, authenticated, authorized and protected • Monitored and monetized with analytics
  • 4. A note on our development process • WSO2 uses an agile, iterative development process • v1.0 is a Minimum Viable Product • http://en.wikipedia.org/wiki/Minimum_viable_product • Just enough features to allow a subset of users to deploy the system in production • Each further release is aimed at meeting specific user requirements • Not everything we say today may end up in v1.0 • You can follow progress on dev@wso2.org • And by joining the Beta programme (details at the end)
  • 8. API Management Platform Details • Full support for web protocols: • JSON/HTTP(S), REST interactions • SOAP/HTTP(S), XML/HTTP(S) • Non-blocking high-performance HTTP transport handles 000s of concurrent connections • API Key Management based on OAuth2 • Get Key (with or without asynchronous approval process) • Renew Key • Revoke Key • Monitoring and analytics • Latency, Response Time, Failures vs Success, Total Transactions, Transactions by API Key • By user specified time period as well as over the last 1m, 5m, 10m, 1hr, 4hr, 8hr, 24hr periods
  • 9. API Key Use Case
  • 10. Understanding the flow • API Publisher adds API into API Manager • [Optionally provides sandbox endpoint] • API Governance / Admin approves publish • … • API Consumer finds API • API Consumer subscribes to API Key • [optional approval process] • OAuth2 Bearer Key issued • [optionally issue both production and sandbox keys] • … • API Consumer application makes a call • API Key is validated • API Key metadata is used to identify: • Throttling / Rate limiting policy • Sandbox / Production endpoint • Event is metered/monitored against the API, Key, IP address, etc
  • 11. OAuth • “An open protocol to allow secure API authorization in a simple and standard method from desktop and web applications.” • Designed to solve the “LinkedIn/Facebook/GMail” problem • “Valet Key” • http://tools.ietf.org/wg/oauth/
  • 12. Adding Security with BasicAuth/OAuth
  • 13. OAuth 2 • What’s wrong with OAuth 1? • Crypto requirements are too onerous • Requires special client side OAuth code • OAuth 2 Bearer Tokens • A simple secret token carried over SSL • Allows OAuth2 keys to be used with CURL and common clients • OAuth2 Bearer Tokens = API Keys • A token that identifies the application calling the API • Separate from the user who creates it • Limited scope to calling one or more APIs • Can be revoked/renewed without requiring a password change for the user • Hence can be embedded in application code • OAuth2 is not yet final, but is stable and implemented • From the perspective of the API client, no “OAuth2” specific code is required • Completely implemented by the API Manager
  • 14. Improvements to the core mediation engine • The“Gateway” component of the AM is based on our core mediation framework from the ESB • For API Management there are some key improvements: • API model • Rate Limiting per Key • Passthru performance
  • 16. API Syntax <api name="AccountManagementAPI" context="/am"> <resource methods="GET" uri-template="/accounts/{accountId}" inSequence="GetAccountIn" outSequence="GetAccountOut"/> <resource methods="PUT" uri-template="/accounts/{accountId}” inSequence="UpdateAccountIn" outSequence="UpdateAccountOut"/> </api> Note that this syntax / model is internal to the API Manager and the average user will not need to know this. Advanced use cases can take advantage
  • 17. ESB Passthru Latency compared to previous models
  • 21. Roadmap Summary Q2 2012 Q3 2012 (Planned) (Projected) • API Publishing: • Integration with 3rd party Key Management • Documentation/Samples/SDK/Links to Systems external docs • Integration with 3rd party repositories such as GITHub • Tagging • Role-based views for usage reports • Track consumers by API • User self-registration • View Statistics by API • OAuth2 / OpenID based login • API Subscribing • Additional Collaboration Features • Search - Rate - TryIt - API Lifecycle • Monetization Management - Recommend - Post a review • API Versioning • Manage N APIs via the application concept • OAuth2 based Key Management • Throttling/SLA Limits per API • Integration with BAM for API Statistics • Skinnable UI
  • 22. Product Timelines • WSO2 API Management Platform (WSO2 AMP) • v1.0 Alpha – April 2012 • v1.0 Beta – May 2012* • v1.0 Gold – July 2012 • v1.5 Gold - September 2012 • v2.0 Gold - December 2012 * We are actively looking for alpha/beta customers to provide insight and validate the product design
  • 23. Beta Programme http://wso2.com/products/api- manager/
  • 24. Questions? http://www.flickr.com/photos/oberazzi/ 24
  • 25. Follow us: http://twitter.com/#!/wso2 Follow us: Contact us: http://twitter.com/#!/wso2 http://wso2.com/contact/