What API Management Tool to Consider
- Status: accepted
- Deciders: devs
- Date: 2020-09-14
Technical Story: Design of Api Gateway / API Portal
Is there available tool that is compliant to requirements? Can the tool provide functionality for API Gateway? Can the tool provide functionality for API Development Portal?
Since the API Gateway is intended for students and startups to gather open government data, the following requirements need to be fulfilled. The student / startup is defined as Consumer of service. The organization that deliver the service as open service is defined as Provider of service. The open service is hosted on organizations X-Road server. The API Gateway must provide functionality for
- Registration of services with rate limit
- Self-service portal
- API key for Consumer
- Rate limit for Consumer
- Register open service in API gateway.
- Set rate limit on open service in API gateway.
- Register as service user.
- Register application intended to use API (Consideration).
- Get API key for that application or consumer.
- Register what API to use in the application.
- Ability to test the API from API console with application API key (Consideration).
API Keys / Rate Limits Is it sufficient to have only One API key for each Consumer, or is it required to define different Consumer applications with different API key. If a typical Consumer has created application and has valid API key, it is likely that he will not bother to register new application and get new API key. He could reuse the already given one. Consumer could also use the ability to register another application and get new API key with fresh rate limits.
Consumer registration What will be used to validate / approve students or startups for access on services. Should it be registered by SSN or some unique id, or only by email, with ability to reregister with new email again and again.
- Vendor lock in for runtime
- Open source or not
- Installation options
- Functional ability
- Market presence
Pricing model for API management solutions are complex. Usually based on transaction count, or CPU instances. Sometimes pricing is variation of annual fee and transactional fee. All prices that are exposed in this documentation are estimates, needed to be negotiated with vendor.
There is consideration that most API management providers are aiming customers in hosted solutions, instead of on-prem installation, that would provide lock in for that vendor.
- Gateway: a server that acts as an API front-end, receives API requests, enforces throttling and security policies, passes requests to the back-end service and then passes the response back to the requester. A gateway often includes a transformation engine to orchestrate and modify the requests and responses on the fly. A gateway can also provide functionality such as collecting analytics data and providing caching. The gateway can provide functionality to support authentication, authorization, security, audit and regulatory compliance.
- Publishing tools: a collection of tools that API providers use to define APIs, for instance using the OpenAPI or RAML specifications, generate API documentation, manage access and usage policies for APIs, test and debug the execution of API, including security testing and automated generation of tests and test suites, deploy APIs into production, staging, and quality assurance environments, and coordinate the overall API lifecycle.
- Developer portal/API store: community site, typically branded by an API provider, that can encapsulate for API users in a single convenient source information and functionality including documentation, tutorials, sample code, software development kits, an interactive API console and sandbox to trial APIs, the ability to subscribe to the APIs and manage subscription keys such as OAuth2 Client ID and Client Secret, and obtain support from the API provider and user and community.
- Reporting and analytics: functionality to monitor API usage and load (overall hits, completed transactions, number of data objects returned, amount of compute time and other internal resources consumed, volume of data transferred). This can include real-time monitoring of the API with alerts being raised directly or via a higher-level network management system, for instance, if the load on an API has become too great, as well as functionality to analyze historical data, such as transaction logs, to detect usage trends. Functionality can also be provided to create synthetic transactions that can be used to test the performance and behavior of API endpoints. The information gathered by the reporting and analytics functionality can be used by the API provider to optimize the API offering within an organization's overall continuous improvement process and for defining software Service-Level Agreements for APIs.
- Monetization: functionality to support charging for access to commercial APIs. This functionality can include support for setting up pricing rules, based on usage, load and functionality, issuing invoices and collecting payments including multiple types of credit card payments.
The following list checks out the options. The options were checked by looking into documentation and read reviews. A Gap in the matrix does not mean that the option does not exist, only that it was not noted in documentation.