QUICK REFERENCE CARD

When to implement an API Management API Management

product Essentials
This decision tree aims to help you: Start Simple and Add Features Incrementally
Know when to use API Management products Your solution should be usable as soon as possible with prioritized features “Anytime, Anywhere, Any Device” is the main objective of digital
Know when to setup incrementally and use a specific API Management module when needed A new feature should not block the use of the API Management solution transformation. APIs are a solution providing “Business Agility” as
You must own the deployment and configuration of your API's publication they allow the creation of new business models and to quickly build
 or a better TTM (Time To Market), think “value-first”: implement API Management
F new applications for upcoming digital devices.
features that meet your and your consumers’ needs
Externalizable APIs must…  PIs are the industrialization of the consumption of an enterprise’s resources on the Web,
A
facilitated by API Management platforms.
 e well-designed: vulgarized, intuitive, inspired by the state-
B
of-the-art of API designs  PI management is the process of publishing APIs, enforcing their usage policies,
A
Handle fine-grained access: authentication and authorization controlling access, nurturing the subscriber community, collecting and analyzing usage

THERE IS A BETTER WAY

Be testable: provide a sandbox environment statistics, and reporting performance metrics and data.

Management
 ffer a clear SLA (Service Level Agreement) in accordance
O
with the product strategy  n API strategy is often summarized as “buying the right API Management product.”
A
But the reality is that API Management solutions only address a minor part of an API
strategy’s objectives.

Essen+ials
You can improve your
DO I HAVE EXTERNALIZABLE APIS? NO existing services This reference card enumerates the key features of API Management platforms and
management how to integrate them incrementally to ease and accelerate its implementation. Our
recommendations are based on our vision and our hands-on experience in API development.

"With a taste of a poison paradise, I’m addicted to you, Don’t you know that you’re toxic"
YES
- Britney Spears - In the Zone album - 2004 Existing Services DISCLAIMER
You need API Gateway  service catalogue and usage
A OCTO Technology is an independent consulting and implementation company: hence, we
don’t receive any fees from API Management vendors. Please check out our blog
and API Management statistics will improve your
https://blog.octo.com, and feel free to comment or challenge this API cookbook.
portal modules observability and monitoring
We’re really looking forward to hearing from you.
 ifferent solutions may help
D
you achieve this, such as
Service Mesh or API Gateway
AUTHORS
Powered with by Antoine Chantalou, Armen Ozcelik, Daniel Sabin, Adrien Graux, Franck
Romano, Sophie Delronge & WOAPI Tribe.

octo.com I blog.octo.com

What is an API
Management
We believe that API NO
DO I WANT OR DO I HAVE
AN INCREASING NUMBER OF
CONSUMERS?
YES Solution?
IS THE ENGINE OF An API Management solution is a tool that industrializes the
consumption of your APIs and is made for three kinds of users:

DIGI+AL STRATEGY How do I wish to authenticate You need a Developer

Developers consuming APIs
Developers publishing their APIs
WE KNOW that the Web infiltrates and authorize my consumers? portal module
 PI Managers configuring the API Management solution, monitoring consumption,
A

AND transforms COMPANIES communicating with consumers, planning the roadmap...

WE WORK +OGETHER,
© OCTO Technology 2019 - All rights reserved

You need an OAuth2 Client Client application Both client application and users DOES MY APP NEED TO MANAGE AN API MANAGEMENT GENERALLY OFFERS THE FOUR FOLLOWING FEATURES:
[email protected]

credentials flow in Security

only connected to the client
MULTIPLE IDENTITY PROVIDERS?
with passion, TO CONNECT module (YOUR LOGIN SCREEN, GOOGLE, FACEBOOK,
GITHUB, ETC.) API MANAGEMENT PORTAL

BUSINESS & IT
User enrolment - Publication / Versioning - Usage Statistics - Quotas

DEVELOPER PORTAL
NO YES Self enrolment - API Doc / Try it interface

We help you CREATE You need an OAuth2 Code

SECURITY
API KEY - OAuth2 /OIDC Complicated

OPPORTUNITIES AND EMBRACE grant and an implicit grant You need an OIDC Code API PROTOCOL TRANSFORMATION MODULE
Cette Refcard est imprimée sur papier certifié PEFC.

Tool to perform protocol transformations (ex: SOAP to REST)

grant and an implicit grant
THE WEB Inside & Out flow in Security module
flow in Security module

WARNINGS
SECURITY
DO I WANT TO MONETIZE MY APIs? Most API Management solutions offer a security module and Identity Provider features.
Those features are almost never Plug&Play and will require customization and development.
We recommend the use of a dedicated security module with on-premise or cloud solutions.

API PROTOCOL TRANSFORMATION MODULE

You can define a business model NO YES You need a Billing module We don’t recommend the use of this module because it is proprietary and locks you into a
vendor, thus creating maintenance complexity of your produced API.
How it works API Management
governance
The following organization patterns are the ones we see the most. In fact, we frequently observe pattern is the most observed. This model mixes scaled agile organizations and API Management

Developer portal & API management

an evolution from Centralized API Facade pattern to Decentralized API Component teams or product constraints. Global API product owner and global API technical leader are key roles, as
Decentralized Feature teams patterns. At large scale, decentralized API Component teams they share their knowledge with communities of practice and promote the API vision.

portal: initialization scenario

API Managers perform their actions (API registration, monitoring…) in the API Management
portal, while Developers must use the Developer portal. These steps are not dependant on
Centralized API Facade Decentralized Feature teams Decentralized API Component teams
a particular API Management solution.
 hen the number of API consumers is not scaling
W  hen the main asset of the company is one main front-end application, which requires a short TTM
W  hen the company has several front-end applications of major importance
W
To start building an API with a fast TTM When the API is not a strategic asset When API is considered as a strategic asset by the company
API registration (name, upstream URL, documentation, scopes) When the scope of the API and related front-end applications is small (a team of 10 people is
enough to develop it)
API configuration (quotas, security e.g., OAuth2, API Key)
API Team & API Management
Creates its developer account
API Management API Governance
Optional - Validates the developer account
DEVELOPER &
DEVELOPER  uild and Run platform
B Promote the global API vision  oordinate API consumers and API
C
Reads general and API documentation PORTAL API CONSUMERS Define API execution plans Promote externalisable APIs providers roadmap
API MANAGER
& API Manage API clients (access removal...) Aim for a great Developer eXperience (TTFAC) Animate API communities of practices
MANAGEMENT Registers a client to get credentials (name, required APIs, Monitor usage statistics Publish an API design guide for API providers Write and publish API global
PORTAL client type - batch, SPA, mobile…) documentation (business and technical)
Handle coarse grain security
Optional - Validates the client (depending on your validation criteria) Setup profiles (security, cache policy, plugins…)
Publish an API onboarding guide for API providers COMPONENT TEAM API
First call to API in Production environment
(Time to first API call: 15 minutes)

Monitors the usage of APIs (calls, logs…) OTHER API CONSUMERS API CONSUMERS
API Product owner
FEATURE TEAM #1 FEATURE TEAM #N
API MANAGEMENT API TEAM API Technical Leader
Monitors clients’ usage (calls, remaining quotas, pricing…) DEVs
GATEWAY API Product owner OPSs
API #1
API Technical Leader
SECURITY DEVELOPER PORTAL API MANAGEMENT PORTAL
DEVs

Gateway & Security

OPSs Front feature #1 Front feature #N
API FACADE PO API MANAGEMENT API MANAGEMENT
PO
TL TL
GATEWAY GATEWAY COMPONENT TEAM API
When a client submits a request to an API through an API Management tool, the following
steps occur, no matter the chosen API Management solution. SECURITY DEVELOPER PORTAL API MANAGEMENT PORTAL SECURITY DEVELOPER PORTAL API MANAGEMENT PORTAL

ACCESS TRAFFIC CONTROL FORWARD TO API Product owner

API MANAGEMENT TEAM API MANAGEMENT TEAM
CONTROL (quotas, throttling,...) RESOURCE SERVER API Technical Leader
DEVs OPSs DEVs OPSs API Product owner DEVs API Product owner DEVs DEVs
API Technical Leader OPSs API Technical Leader OPSs API #N OPSs
API iden- BACKEND #1 BACKEND #N
Security Custom Cache Routing
tification
Request Request BACKEND #1 BACKEND #N

Client Cache Monitoring Resource Server

management (response time…) Custom  ublish APIs on the API Management platform with profiles
P  rovide a sandbox environment for testability
P  efine API lifecycle & versionning
D
Response Response Design the API Write and publish the API documentation (business and technical) Provide Fine grain security

API Providers Teams

How to manage your API environments?

We believe that API teams must expose a live version and a sandbox of their API. A single
API Management integration patterns Common mistakes
development environment is necessary for the team to develop and test the API before deploying.
Full SaaS On-Premise Hybrid
One sandbox environment for all non-production environments BELIEVING THAT AN API RELYING ONLY ON YOUR
Sandbox & live APIs are only accessible through gateway
Client must not have access to API development environment directly
+ Excellent TTM +  uitable when cloud deployment is not allowed for security reasons:
S
storing sensitive data is your core business or a strategic asset. + Gateway close to on-premise APIs
MANAGEMENT TOOL IS A API MANAGEMENT
GOLDEN HAMMER PLATFORM TO BUILD
Client may use a try-it API linked with sandbox -  The API Management vendor has an access to your Information System
 igher latency between cloud gateway and on-premise API
H - Requires maintaining the solution (patch, security…)
Poor time to market - Requires monitoring response time if providers are on the cloud
YOUR API
API Management products only address a Your API will need to be crafted by developers
CLIENT APPLICATION minor part of an API Strategy (functional, with love.
Cloud SaaS Cloud SaaS / IaaS / PaaS
API Management technical, organizational objectives).
- DEVELOPMENT - - PRODUCTION - - TEAM - API MANAGEMENT API MANAGEMENT API MANAGEMENT

GATEWAY GATEWAY SECURITY DEVELOPER PORTAL API MANAGEMENT PORTAL

IMPLEMENTING ALL BELIEVING THAT AN API
SECURITY DEVELOPER PORTAL API MANAGEMENT PORTAL SECURITY DEVELOPER PORTAL API MANAGEMENT PORTAL FEATURES OF THE MANAGEMENT TOOL
API MANAGEMENT PRODUCT BEFORE USING IT HELPS FOR VERSIONING
Cloud PaaS / IaaS On-premise AND API LIFECYCLE
API GATEWAY

Clients only see production

You must iterate on the implementation of the API Management must not manage the
environnement ! API API On-premise API Management tool in order to understand versioning of your APIs, which must instead
API On-premise
API and adapt it to real use-cases in production. be crafted and developed at the applicative
API MANAGEMENT API level. However, API Management can ease
breaking changes by allowing you to know
- PRODUCTION - - TEAM - your consumers, the endpoints they use, and
communicate with them.

Hybrid with Cloud Strategy Hybrid Double Gateway Coming soon… Microgateway
API Management

+ + + API management platforms are

evolving
Good TTM Better performance with external users on cloud gateway Optimization of network flows and performance
Good choice if your strategy targets cloud API back-end and internal users on on-premise gateway
Gateway close to APIs deployed on PaaS/IaaS Gateway always close to APIs
 ne production environment
O
A staging environment to test the
API Management solution before - Higher latency between cloud gateway and on-premise API
-  o direct communication between the entry point (gateway in the cloud)
N
and the Information System (on-premise): monitor response time
-  ard to implement: more OPS effort to supervise and deploy
H
There are no PROD-Ready solutions

deployment Two patterns are opposing: the central gateway vs. the microgateway. There are currently
no tools able to answer to both patterns. Some API Management solutions are introducing
API's Service Mesh features. Service Mesh tools are also introducing API Management features.
Cloud SaaS Cloud SaaS
API Management API Management So, be aware and make your API Management solution as evolutive as possible – you should
- PRODUCTION - - TEAM -
API MANAGEMENT API MANAGEMENT API MANAGEMENT be able to easily make changes and updates.
SECURITY DEVELOPER PORTAL API MANAGEMENT PORTAL SECURITY DEVELOPER PORTAL API MANAGEMENT PORTAL GATEWAY

API (sandbox) API (live) SECURITY DEVELOPER API MANAGEMENT MICRO GATEWAY

Start the quizz

API MANAGEMENT API MANAGEMENT PORTAL PORTAL MANAGEMENT

Cloud PaaS / IaaS API Cloud PaaS / IaaS API

GATEWAY GATEWAY
API API 2 API API 1
(live) (live) MICRO GATEWAY MICRO GATEWAY
 ets two API production environments
S On-premise
to know which API Management
On-premise API MANAGEMENT
(live and sandbox)
API n (live) Never gives client applications access API GATEWAY API API
to their non-production environments
API API solution best fits your context. Or go to :
https://api-by-octo.octo.com