Developer portal API management – API design
Companies have to develop, implement, and publish APIs – from internal developers to business partners. Security concepts such as useful life, number of users, and more are designed in API management. They are then documented accordingly for internal and external users in API management. These design elements are also provided in the portal, to give consumers a transparent overview of the API.
An application programming interface (API) connects products and services with each other through the exchange of data between software programs. API management ensures the usability and security of APIs in the context of creation, testing, documentation and publication. API management can be deployed on-site (on-premises), in the cloud, or in a mix (hybrid).
In combination with IT integration, API management is used as a gateway to all of a company’s APIs. It is usually positioned between the client and the backend services. Queries, authorizations, and security concepts are defined here to protect against third-party access. It also provides an additional demarcation between the internal IT and external consumers. The gateway is implemented in a DMZ, for example, to prevent direct access to the internal IT.
As the provided APIs increase in size, companies can monetize them. This means a usage fee for the API is collected from the user, with a variety of possible billing models: By usage time, number of calls, runtime, and so on.
In addition, different variants of a sliding scale (trial, bronze, silver, gold) can be designed, which the user can select in a corresponding portal.
Scheer PAS combines IT integration and API management on a single platform. New and existing interfaces are automatically transferred to the API management and can be managed and published in an API catalog. The developer portal provides secure and easy access for developers and customers.
Benefits of Scheer PAS API Management
- Integrated API catalog of Scheer PAS services
- Swagger UI with integrated try-out function
- Republishing possible for all APIs
- Simple installation as docker
- Professional consulting & reliable support from the manufacturer
Customized user interfaces with additional developer functions and Kibana
The classic approach
The consumer of the API, internal or external
The service to be accessed
The central hub to control access and rules
In the classic approach, the client submits a request to the API. The API returns a response. In our API management solution, there is another component in between: The API gateway. The client sends their request to the gateway, which forwards it to the API – the controls, protection, and analysis are decentralized from the internal IT.
On the right, you see a theoretical unmanaged API. In this case, it is connected to the gateway to ensure that the client can only access the APIs via the API gateway. The advantage of this approach is that it prevents direct access from the client to the API. This also makes it possible to provide user access to all APIs through a shared access point. As far as the security aspects go, there is a rough differentiation between endpoint security and policy security.
Endpoint security means that the individual APIs can be made available centrally, via an external port.
Policy security takes place completely in the gateway. A chain of rules is applied when the client sends a request to the gateway. It runs through three steps (see figure) and ends at the API. When the API sends a response, the chain is processed in reverse on a case-by-case basis.
Our rules are divided into three groups:
- plans (link between client and API), and
- API (which is also assigned rules)
But the sequence of the policies is important.
For example: Use the “BASIC authentication policy” before the “Rate limiting policy”. Some rules have proven to be very effective. One example: Assign limitation policies to a plan (for example, our “gold” plan: 10,000 queries per hour).
Scheer PAS API Management gives you a fully integrated model within the Scheer PAS platform. As a result, you do not need to integrate an external API management solution in your environment.
Services are passed directly from Scheer PAS Designer to API management. Scheer PAS Designer is our central design tool for models, UIs, and integration and enables you to select the API organization and choose between secure and public.
Of course, you can also import the API outside of the Scheer PAS platform and configure it the same way.
Thanks to flexible policies, the API management can be adapted quickly and individually optimized. The user has several options for accessing the interface: Either by using public APIs or access through contracts.
Such contracts are concluded between the user, the access model of the plan, and the API. As such, the contract forms the framework as to how an API can be consumed.
The technical documentation of the API is ensured over its entire life cycle, for instance, with Swagger (open API specification). The illustrated documentation can be produced through both internal areas within the API configuration and description options in the API portal.
- Version management for interfaces and clients
- Scalability through use of multiple, specialized gateways
- Caching of data-intensive queries and thus lower load on the backend
- Optimization and performance improvement through use and adjustment of metrics and access controls
- Monitoring of data traffic of individual clients and APIs
- Simplified billing
- Quota limits to restrict the number of requests to the interface
- Rate limits, such as 100 requests per minute, are one way to ensure that the backend is not overloaded – ideal for preventing denial of service (DOS) attacks and DDOS attacks are also prevented thanks to the central API management.
- Time-controlled availability: APIs are only available during freely definable times
- Traffic constraints: The data volume available to the interface or individual clients can be restricted
- Decentralization of the IT and infrastructure-based demarcation between internal IT and the API consumers