Search
K

What API Management Tool to Consider

  • Status: accepted
  • Deciders: devs
  • Date: 2020-09-14
Technical Story: Design of Api Gateway / API Portal

Context and Problem Statement

Is there available tool that is compliant to requirements? Can the tool provide functionality for API Gateway? Can the tool provide functionality for API Development Portal?

Requirements

Since the API Gateway is intended for students and startups to gather open government data, the following requirements need to be fulfilled. The student / startup is defined as Consumer of service. The organization that deliver the service as open service is defined as Provider of service. The open service is hosted on organizations X-Road server. The API Gateway must provide functionality for
  • Registration of services with rate limit
  • Self-service portal
  • API key for Consumer
  • Rate limit for Consumer

Provider

  • Register open service in API gateway.
  • Set rate limit on open service in API gateway.

Consumer

  • Register as service user.
  • Register application intended to use API (Consideration).
  • Get API key for that application or consumer.
  • Register what API to use in the application.
  • Ability to test the API from API console with application API key (Consideration).

Considerations

API Keys / Rate Limits Is it sufficient to have only One API key for each Consumer, or is it required to define different Consumer applications with different API key. If a typical Consumer has created application and has valid API key, it is likely that he will not bother to register new application and get new API key. He could reuse the already given one. Consumer could also use the ability to register another application and get new API key with fresh rate limits.
Consumer registration What will be used to validate / approve students or startups for access on services. Should it be registered by SSN or some unique id, or only by email, with ability to reregister with new email again and again.

Decision Drivers

  • Vendor lock in for runtime
  • Open source or not
  • Installation options
  • Functional ability
  • Market presence
  • Pricing
Pricing model for API management solutions are complex. Usually based on transaction count, or CPU instances. Sometimes pricing is variation of annual fee and transactional fee. All prices that are exposed in this documentation are estimates, needed to be negotiated with vendor.
There is consideration that most API management providers are aiming customers in hosted solutions, instead of on-prem installation, that would provide lock in for that vendor.

Functional ability for decision

Functional ability to consider when evaluating the tool. The following list was taken from wikipedia page for API Management.
  • Gateway: a server that acts as an API front-end, receives API requests, enforces throttling and security policies, passes requests to the back-end service and then passes the response back to the requester. A gateway often includes a transformation engine to orchestrate and modify the requests and responses on the fly. A gateway can also provide functionality such as collecting analytics data and providing caching. The gateway can provide functionality to support authentication, authorization, security, audit and regulatory compliance.
  • Publishing tools: a collection of tools that API providers use to define APIs, for instance using the OpenAPI or RAML specifications, generate API documentation, manage access and usage policies for APIs, test and debug the execution of API, including security testing and automated generation of tests and test suites, deploy APIs into production, staging, and quality assurance environments, and coordinate the overall API lifecycle.
  • Developer portal/API store: community site, typically branded by an API provider, that can encapsulate for API users in a single convenient source information and functionality including documentation, tutorials, sample code, software development kits, an interactive API console and sandbox to trial APIs, the ability to subscribe to the APIs and manage subscription keys such as OAuth2 Client ID and Client Secret, and obtain support from the API provider and user and community.
  • Reporting and analytics: functionality to monitor API usage and load (overall hits, completed transactions, number of data objects returned, amount of compute time and other internal resources consumed, volume of data transferred). This can include real-time monitoring of the API with alerts being raised directly or via a higher-level network management system, for instance, if the load on an API has become too great, as well as functionality to analyze historical data, such as transaction logs, to detect usage trends. Functionality can also be provided to create synthetic transactions that can be used to test the performance and behavior of API endpoints. The information gathered by the reporting and analytics functionality can be used by the API provider to optimize the API offering within an organization's overall continuous improvement process and for defining software Service-Level Agreements for APIs.
  • Monetization: functionality to support charging for access to commercial APIs. This functionality can include support for setting up pricing rules, based on usage, load and functionality, issuing invoices and collecting payments including multiple types of credit card payments.

Considered Options

Considered options functional matrix

The following list checks out the options. The options were checked by looking into documentation and read reviews. A Gap in the matrix does not mean that the option does not exist, only that it was not noted in documentation.
API Management Tools
Apigee Edge
Mulesoft Anypoint
Software AG
IBM
Axway
Tibco Mashery
AWS
Akana
Sensedia
Kong
Red Hat 3Scale
WSO2
Tyk
Boomi
Azure
Nginx Plus
Broadcom
KrakenD
Netflix Zool
API Umbrella
Express Gateway
Gravitee.io
Platform Information
On premise installation
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Cloud Service
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Hybrid Installation
Yes
Yes
Yes
Yes
Yes
Open Source
No
Yes/No
No
No
No
No
No
No
Yes
Yes
Yes
Yes
No
No
No
No
Yes
Yes
Yes
Yes
Yes
License model
Paid
Paid
Paid
Paid
Paid
Paid
Paid
Paid
Paid
Apache/Paid
Apache/Paid
Mozilla/Paid
Paid
Paid
Paid
Paid
Apache
Apache
MIT
Apache License
Apache License
Cost of usage (on prem)
Cost of usage (cloud)
Gartner 2019
#1
#2
#3
#4
#5
#6
#12
#9
#7
#8
#10
#17
#20
#14
N/A
#13
N/A
N/A
N/A
N/A
N/A
Forrester 2020
#3
#6
#1
#2
#5
#6
#5
#14
#11
#4
#12
N/A
#13
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Forrester 2018
#2
#10
#3
#1
#7
#6
#4
#15
#5
#12
N/A
#12
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Forrester Market precense 2020
1
1
2
1
3
2
4
5
3
3
5
N/A
2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Forrester Market precense 2018
1
1
3
2
3
3
5
5
3
3
5
N/A
2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Gateway
Oauth
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
OpenID Connect
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Caching
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Throttling / Rate limit
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
Yes
Yes
Yes
Analytics
Yes
?
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
Stages (prod/dev/test)
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Publishing Tool
Yes
Yes
Yes
Yes
No
OpenAPI Description
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
Yes
RAML API Descriptor
Yes
Yes
Yes
Yes
Yes
Yes
No
Soap WSDL Description
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Does tool provide Life Cycle Management of Services.
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Message Mediation / Orchestration / Transformations
Yes
Yes