This document provides information on APIs and API management. It defines what an API and managed API are. It describes the roles of API creator, publisher, and consumer. It also discusses API design, the Richardson maturity model, hypermedia controls, API definition with Swagger, API versioning, security with OAuth 2.0 and JWT tokens, access control with scopes, analytics, throttling, deployment, clustering, caching, and integration.

3. ● An API is a business capability delivered over the Internet to
internal or external consumers
○ Network accessible function
○ Available using standard web protocols
○ With well-defined interfaces
○ Designed for access by third-parties
● A Managed API is:
○ Actively advertised and subscribe-able
○ Available with SLAs
○ Secured, authenticated, authorized and protected
○ Monitored and monetized with analytics

4. ● API Creator - Design, Implements, Manages and Versions API
● API Publisher - Publishes, Promotes and encourages
consumers to adopt APIs
● API Consumer - An Application Developer, understands the
API interface definition.

6. API Design First

7. Richardson Maturity Model
Read more in http://martinfowler.com/articles/richardsonMaturityModel.html

8. Hypermedia Controls

9. Swagger
Swagger is a simple yet powerful
representation of your RESTful API.
Why do I need it ?

10. Publishing an API

11. Adding API Definition

12. API Versioning

13. Securing an API
OAuth 2.0
● Has become the de-facto standard for API Security
● Primarily operates on an Access Token
● Introduces Grant Types and Token Types
● OAuth 2.0 specification defines 4 major grant types
○ Authorization Code
○ Implicit
○ Resource Owner Password Credentials
○ Client Credentials

14. • Recommended for web applications or native mobile
applications capable of spawning a web browser
Authorization Code Grant

15. • Mostly used by Javascript client running in the web
browser
Implicit Grant

16. • Used by trusted Client Applications
Resource Owner Password
Credentials Grant

17. • Two-Legged OAuth. The Client becomes the Resource
Owner
Client Credentials Grant
Type

18. Access Control with Scopes
• OAuth2.0 Scopes, a mechanism to control what access
tokens can do with Resources
Defining a Scope

19. Access Control with Scopes
• Applying a scope to a Resource

20. Fine Grained Access Control

21. Throttling API Usage
• Why do you need to throttle ?
• “Rate Limiting”.
• Let see how to throttle API usage with
APIM. ( demo )

22. JWT Token
{
"typ":"JWT",
"alg":"NONE"
}{
"iss":"wso2.org/products/am",
"exp":1345183492181,
"http://wso2.org/claims/subscriber":"admin",
"http://wso2.org/claims/applicationname":"app2",
"http://wso2.org/claims/apicontext":"/placeFinder",
"http://wso2.org/claims/version":"1.0.0",
"http://wso2.org/claims/tier":"Silver",
"http://wso2.org/claims/enduser":"sumedha"
}
• When to use JWT Token ?
• How does it look like ?

23. JWT Token
Client / Partner
Gateway
Key Manager
Store Publisher
Back EndJWT Token
JWT Token

24. Analytics
Operational Purposes
Know when your system is heating up
Know when to scale up/down
For Alerts/Notifications
Threat detection
Business Purposes
Identify user types/categories by device (User Agent)
Identify usage by Geographical location
Know when to promote/retire your APIs

25. Analytics in API Manager
Back End
Service
Client / Partner
Event Streams Event Streams
STAT DB
Aggregated Data
Statistical data retrive for
display
1 2
3 3
4
5

26. Identity Federation
• Useful in scenarios where you need to authenticate users
through an Identity System that’s already in place

27. Integration with external
OAuth servers
• Enterprises which already have an identity system capable
of doing OAuth might be interested in integrating the API
Management platform with it.

28. API Facade Pattern
• It is an architectural best practice to use the Facade pattern
to clearly separate out the API layer and mediation layer to
facilitate better separation of concerns

29. Deployment FAQ ?
• How many servers do I need to achieve
my performance requirement ?
• How to scale with time ?
• Securing the deployment ?

30. Deployment Performance
Numbers.
• 1300 TPS for EC2 m1.large.
• Upcoming release AM 1.9 has shown
more than 4000 TPS for a tuned setup.
We will be benchmarking on EC2 after
the release.

31. Deployment
Client / Partner Back End

32. Clustering Step 1
Client / Partner Gateway
Key ManagerStore Publisher
Back End

33. Clustering Step 2
Client / Partner
apimgt
db
Gateway
Key ManagerStore Publisher
Back End
greg
db
user
db

34. Clustering Step 4
Client / Partner Back End
GW Manager
GW Worker Nodes
SVN

35. Clustering Step 5
Client / Partner
Gateway
Cluster
Key Manager
Cluster
Store
Back End
Publisher

36. Caching Step 6
Client / Partner
Gateway
Cluster
Key Manager
Cluster
Store
Back End
Publisher

37. Securing Deployment
Client / Partner
Gateway
Cluster
Key Manager
Cluster
Store
Back End
Publisher
DMZ

38. Integration and Automation
• We are working on a complete RESTful
API for API Manager.
• Can find the swagger definition at http:
//hevayo.github.io/restful-apim/#/