The need for a management API stems from the Web API for conducting business. It started in 2006, then gradually matured and entered the market by 2016. API management is about editing, testing, publishing, authenticating, metering, analyzing, reporting, monitoring, and so on against an API, whether through a proxy for the management gateway of an existing API, as part of the gateway used to deploy the API itself, or as a connection layer in code. Over the past decade, API management providers have collectively defined common ways to do business using Web apis. Although API technology is very technical, it is still very relevant to the API business and the value that comes from using the Web to provide access to data, content, algorithms, and other digital resources. The following will illustrate the importance and implementation of API management in the form of a few key words.
1. Security:
API certification
The defense (whitelist) of restricting API access to partner IP addresses is very powerful if you regularly provide API access to partners. But you still need authentication and rate limiting, just by reducing traffic to only known partners, which eliminates a lot of the malicious traffic you see on apis open to the wider Internet, such as brute force attempts to gain access and denial-of-service attacks. Even with IP whitelists, it is still best practice to establish an API gateway. This helps with authentication and ensures that the back end only receives correctly returned API calls.
The most common are OAuth and OAuth2, which are used to communicate and protect communication between apis. Even with OAuth, other people’s tokens can be a problem. How do YOU manage the Token lifecycle? Is the Token refreshed? In some successful infrastructures, one-time tokens are used to strictly limit the types of operations being attempted, which boils down to secure Token management and certificate-based authentication.
The API is always authenticated before authorization, and there are many ways to do API authentication, but multifactor authentication is the common one. For apis, it is common to use an external process (for example, through the OAuth protocol) to obtain access tokens. Authentication keys are the most sensitive and must be kept secure, and it is recommended to automate the whole process using administrative storage. That is, authentication alone is not enough to grant access to the API, and there should be an authorization step to determine which resources can access the API. Various approaches to checking authorization include content-based access control (CBAC), role-based access control (RBAC), or policy-based access control (PBAC) to ensure that business data remains fully protected from unauthorized access.
Restrict access to API resources
Protecting the API environment involves each API touchpoint, authenticating and authorizing API clients (third-party applications and developers or microservices), limiting API calls to mitigate distributed denial of service (DDoS) attacks, and protecting and processing back-end application API calls.
Some of the techniques and tools used to secure apis are:
1) Authenticate and authorize API clients using A JSON Web Token (JWT), which includes information about the client, such as administrative permissions or expiration dates. When a client provides JWT with its API request, the API gateway validates the JWT and verifies that the declaration matches the access policy you set for the resource requested by the client.
2) Define and enforce access control policies that only allow certain types of clients to perform write operations or access sensitive data (such as pricing).
3) Define role-based access controls that only allow certain users (such as developers within a particular organization) to publish sensitive information (such as pricing or inventory levels) apis.
4) Protect the API itself by applying a rate limiting policy that sets a threshold for the number of requests that the API gateway receives per second (or other time period) from a given source (such as a client IP address).
5) Secure backend applications with HTTPS – the HTTPS protocol should be used between the API gateway and the backend system handling API requests.
Limit and quota of circuit breakers, a good practice is to enforce quotas for each application’s data usage so that the back end is not affected in the event of DoS, DDoS attacks or to prevent unauthorized users from using the API improperly. Throttling and quota per resource not only acts as a circuit breaker, but also prevents negative impacts on the system. Sophisticated API management platforms with policies such as quotas and limits can provide this functionality.
Three key areas
There are three key areas of our API security approach:
1) Take a declarative approach. The customer turns to OAuth 2 and overwrites with Open ID Connect. OAuth 2 has many options, and the Open ID limits the options but also guides best practices.
2) Think carefully about how application ids relate to user identities.
3) Consider API security in the broadest sense to reduce intrusion attempts. You can take the approach of distributing security implementations. By default, API management focuses on providing AN API gateway, which should focus on authentication and authorization of traffic. A multi-tier approach is recommended, with Web application firewalls included in a separate layer of Apache Mod Security.
2. Ease of use:
Deployment apis have many important elements, including authentication, protection/availability, and monetization. But many of them don’t matter if you don’t use the API. Ease of use and successful completion of use cases are key to being used. Our integration platform makes the API easy to use. With our application connector, we can simplify the use of many apis.
The last letter in an API is “interface,” so it’s important to clearly define how that interface works. You need to make some important architectural decisions up front about how your customers will use your apis, and how developers will bring them to market. As the number of apis grows, it becomes important to maintain consistency in naming and data formats. This is not a big deal when you provide 5-10 apis, but when the number is over 100 and you may have multiple people (or teams) creating them at different times, introducing them as part of different products, etc., it is critical that all teams easily understand and implement existing specifications. If these specifications are not uniform and difficult to read, it is bound to cause problems.
3.API lifecycle Management:
There are four main elements:
API lifecycle management, provides the ability of the whole lifecycle management API, released from the API design, development, and management (including maintenance and version control), which allows the company by writing innovative solutions to accelerate innovation, improve the efficiency of development, promote enterprise data better security, and allow users to easily find and use the API.
2.API gateway, which acts as an entry point to a set of apis. The benefits of using an API gateway are to provide the best API for each client, reduce the number of requests the client needs to make and enforce appropriate security and controls.
3. Files, Developer Portal is the key to improving API adoption and stickiness. This is the first point for developers to learn and use the API, and is where developers learn about authentication/authorization mechanisms. In addition, they will learn what apis are available and take advantage of descriptions and examples of each API request.
4.API analysis/monitoring, which helps to understand and understand the usage of their apis to provide insights on the use of various apis. Alternatively, developers can enforce API quotas, limits and API traffic to prevent/limit usage that is inconsistent with your business goals.
Among domestic API interface management tools, EOLINKER is the platform and tool that can completely realize the whole PROCESS of API management and have a good experience, including interface document editing, API testing, automated testing, API monitoring and gateway, and can experience a complete API research and development program. However, the former focuses on testing, while the latter focuses on interface management, which is not comprehensive, and the whole English language is not very friendly to Chinese people. Therefore, if you have requirements or are interested in EOLINKER, POSTMAN and Swagger, you can learn about them.
When choosing an API management solution, the best advice is to always keep the relationship simple, modular, strongly independent and separate from other modules in the API lifecycle, and to keep the business engagement limited so that it can be used and grown without lengthy contracts. Each phase in the API life cycle should reflect the philosophy of the API, and be small, separate, and focused on the goals of that phase.
References:
Kin Lane, API Life Cycle Basics: API Management,Dzone.com/articles/ap…
Tom Smith, Keys to API Management,Dzone.com/articles/ke…