This document provides information on APIs and API management. It defines what an API and managed API are. It describes the roles of API creator, publisher, and consumer. It also discusses API design, the Richardson maturity model, hypermedia controls, API definition with Swagger, API versioning, security with OAuth 2.0 and JWT tokens, access control with scopes, analytics, throttling, deployment, clustering, caching, and integration.
DSPy a system for AI to Write Prompts and Do Fine Tuning
WSO2Con EU 2015: API Management Strategies and Best Practices
1.
2.
3. ● An API is a business capability delivered over the Internet to
internal or external consumers
○ Network accessible function
○ Available using standard web protocols
○ With well-defined interfaces
○ Designed for access by third-parties
● A Managed API is:
○ Actively advertised and subscribe-able
○ Available with SLAs
○ Secured, authenticated, authorized and protected
○ Monitored and monetized with analytics
4. ● API Creator - Design, Implements, Manages and Versions API
● API Publisher - Publishes, Promotes and encourages
consumers to adopt APIs
● API Consumer - An Application Developer, understands the
API interface definition.
13. Securing an API
OAuth 2.0
● Has become the de-facto standard for API Security
● Primarily operates on an Access Token
● Introduces Grant Types and Token Types
● OAuth 2.0 specification defines 4 major grant types
○ Authorization Code
○ Implicit
○ Resource Owner Password Credentials
○ Client Credentials
14. • Recommended for web applications or native mobile
applications capable of spawning a web browser
Authorization Code Grant
15. • Mostly used by Javascript client running in the web
browser
Implicit Grant
16. • Used by trusted Client Applications
Resource Owner Password
Credentials Grant
17. • Two-Legged OAuth. The Client becomes the Resource
Owner
Client Credentials Grant
Type
18. Access Control with Scopes
• OAuth2.0 Scopes, a mechanism to control what access
tokens can do with Resources
Defining a Scope
23. JWT Token
Client / Partner
Gateway
Key Manager
Store Publisher
Back EndJWT Token
JWT Token
24. Analytics
Operational Purposes
Know when your system is heating up
Know when to scale up/down
For Alerts/Notifications
Threat detection
Business Purposes
Identify user types/categories by device (User Agent)
Identify usage by Geographical location
Know when to promote/retire your APIs
25. Analytics in API Manager
Back End
Service
Client / Partner
Event Streams Event Streams
STAT DB
Aggregated Data
Statistical data retrive for
display
1 2
3 3
4
5
26. Identity Federation
• Useful in scenarios where you need to authenticate users
through an Identity System that’s already in place
27. Integration with external
OAuth servers
• Enterprises which already have an identity system capable
of doing OAuth might be interested in integrating the API
Management platform with it.
28. API Facade Pattern
• It is an architectural best practice to use the Facade pattern
to clearly separate out the API layer and mediation layer to
facilitate better separation of concerns
29. Deployment FAQ ?
• How many servers do I need to achieve
my performance requirement ?
• How to scale with time ?
• Securing the deployment ?
30. Deployment Performance
Numbers.
• 1300 TPS for EC2 m1.large.
• Upcoming release AM 1.9 has shown
more than 4000 TPS for a tuned setup.
We will be benchmarking on EC2 after
the release.
38. Integration and Automation
• We are working on a complete RESTful
API for API Manager.
• Can find the swagger definition at http:
//hevayo.github.io/restful-apim/#/