1. lean . enterprise . middleware
WSO2 API Management Platform
Chris Haddad
VP, Technology Evangelism
Paul Fremantle,
CTO and Co-Founder
Asanka Abeysinghe
Director, Solutions Architecture
© WSO2 2011. Not for redistribution. Commercial in Confidence.

2. Business APIs
“APIs provide a way to make resources
available for internal and external
partners to access information and
services.”

3. API Architecture
An API is a business capability delivered over the Internet
to internal or external consumers
• Network accessible function
• Available using standard web protocols
• With well-defined interfaces
• Designed for access by third-parties
A Managed API is:
• Actively advertised and subscribe-able
• Exhibits high Quality of Service (QoS)
• Available with Service Level Agreements (SLAs)
• Secured, authenticated, authorized and protected
• Monitored and monetized with analytics

4. A note on our development
process
• WSO2 uses an agile, iterative development process
• v1.0 is a Minimum Viable Product
• http://en.wikipedia.org/wiki/Minimum_viable_product
• Just enough features to allow a subset of users to deploy
the system in production
• Each further release is aimed at meeting specific
user requirements
• Not everything we say today may end up in v1.0
• You can follow progress on dev@wso2.org
• And by joining the Beta programme (details at the end)

5. WSO2 API Management Platform

6. API Store Features

7. API Publisher Features

8. API Management Platform Details
• Full support for web protocols:
• JSON/HTTP(S), REST interactions
• SOAP/HTTP(S), XML/HTTP(S)
• Non-blocking high-performance HTTP transport handles 000s of concurrent
connections
• API Key Management based on OAuth2
• Get Key (with or without asynchronous approval process)
• Renew Key
• Revoke Key
• Monitoring and analytics
• Latency, Response Time, Failures vs Success, Total Transactions,
Transactions by API Key
• By user specified time period as well as over the last 1m, 5m, 10m, 1hr, 4hr,
8hr, 24hr periods

9. API Key Use Case

10. Understanding the flow
• API Publisher adds API into API Manager
• [Optionally provides sandbox endpoint]
• API Governance / Admin approves publish
• …
• API Consumer finds API
• API Consumer subscribes to API Key
• [optional approval process]
• OAuth2 Bearer Key issued
• [optionally issue both production and sandbox keys]
• …
• API Consumer application makes a call
• API Key is validated
• API Key metadata is used to identify:
• Throttling / Rate limiting policy
• Sandbox / Production endpoint
• Event is metered/monitored against the API, Key, IP address, etc

11. OAuth
• “An open protocol to allow secure API
authorization in a simple and standard method
from desktop and web applications.”
• Designed to solve the “LinkedIn/Facebook/GMail”
problem
• “Valet Key”
• http://tools.ietf.org/wg/oauth/

12. Adding Security with BasicAuth/OAuth

13. OAuth 2
• What’s wrong with OAuth 1?
• Crypto requirements are too onerous
• Requires special client side OAuth code
• OAuth 2 Bearer Tokens
• A simple secret token carried over SSL
• Allows OAuth2 keys to be used with CURL and common clients
• OAuth2 Bearer Tokens = API Keys
• A token that identifies the application calling the API
• Separate from the user who creates it
• Limited scope to calling one or more APIs
• Can be revoked/renewed without requiring a password change for the user
• Hence can be embedded in application code
• OAuth2 is not yet final, but is stable and implemented
• From the perspective of the API client, no “OAuth2” specific code is required
• Completely implemented by the API Manager

14. Improvements to the core mediation engine
• The“Gateway” component of the AM is
based on our core mediation framework
from the ESB
• For
API Management there are some key
improvements:
• API model
• Rate Limiting per Key
• Passthru performance

15. APIs and Resources

16. API Syntax
<api name="AccountManagementAPI" context="/am">
<resource methods="GET"
uri-template="/accounts/{accountId}"
inSequence="GetAccountIn"
outSequence="GetAccountOut"/>
<resource methods="PUT"
uri-template="/accounts/{accountId}”
inSequence="UpdateAccountIn"
outSequence="UpdateAccountOut"/>
</api>
Note that this syntax / model is internal to the API Manager and the
average user will not need to know this. Advanced use cases can take
advantage

17. ESB Passthru Latency compared to previous models

18. Scalable Deployment Architecture

19. Scalable Analytics Deployment

20. Demo Use Cases

21. Roadmap Summary
Q2 2012 Q3 2012
(Planned) (Projected)
• API Publishing: • Integration with 3rd party Key Management
• Documentation/Samples/SDK/Links to Systems
external docs • Integration with 3rd party repositories such
as GITHub
• Tagging
• Role-based views for usage reports
• Track consumers by API
• User self-registration
• View Statistics by API
• OAuth2 / OpenID based login
• API Subscribing
• Additional Collaboration Features
• Search - Rate - TryIt - API Lifecycle
• Monetization
Management - Recommend - Post a
review
• API Versioning
• Manage N APIs via the application concept
• OAuth2 based Key Management
• Throttling/SLA Limits per API
• Integration with BAM for API Statistics
• Skinnable UI

22. Product Timelines
• WSO2 API Management Platform (WSO2 AMP)
• v1.0 Alpha – April 2012
• v1.0 Beta – May 2012*
• v1.0 Gold – July 2012
• v1.5 Gold - September 2012
• v2.0 Gold - December 2012
* We are actively looking for alpha/beta customers to provide insight and validate
the product design

23. Beta Programme
http://wso2.com/products/api-
manager/

24. Questions?
http://www.flickr.com/photos/oberazzi/
24

25. Follow us:
http://twitter.com/#!/wso2
Follow us:
Contact us:
http://twitter.com/#!/wso2
http://wso2.com/contact/