Exploring the API Gateway in the Multiverse of APIs
In my discussions with clients regarding solutions involving the utilization of an API Management Platform, the use case of integrating with partnersconsuming APIs exposed by the company is a common and generally well-understood scenario. However, some aspects require clarification when considering the use of the API Management Platform to consume the APIs provided by partners.
The diagram below illustrates a typical scenario of using an API Management Platform, exposing its backend services through an API Gateway, and consumed by customer applications, including business partners.
Figure 1. Common and generally well-understood use case: partners consuming APIs exposed by a company through an API Gateway
In the presented scenario, the exposure of backend services occurs within the context of a specific company, connecting its legacy systems, databases, web services, ERP, and microservices to its API Management Platform. This integration platform provides APIs for customer applications, collectively referred to as the Customer Universe.
In today's increasingly digital, connected, and open world, the adoption of Open APIs for integration between businesses and governments of all sizes has become the norm, accelerated by the impacts of COVID-19.
Therefore, additional APIs need integration beyond the Customer Universe of APIs: the Business Partners’ Universe of APIs. An API Management Platform proves essential in successfully integrating these diverse API contexts.
Figure 2. Use of the API Gateway to integrate with internal APIs and APIs provided by business partners
Why Connect Partners’ APIs to the API Gateway?
Consider a scenario where your business partner exposes well-documented APIs for consumption in your applications. Why include your API Gateway as another layer in this integration? In brief, the answer lies in Safety & Control and Cost Optimization.
Security & Control
As the main component of an API Management Platform, the API Gateway offers numerous benefits, including security, governance, connections, and digital transformations. These advantages extend to both internal APIs exposed to customer applications and external APIs provided by business partners.
Will your business processes use all the operations offered by your partner's APIs?
Can all areas of your company access the APIs and their operations provided by your partner?
Does the data in these APIs include sensitive or confidential information that needs obfuscation or encryption?
Can you perform an impact analysis on your applications when the partner releases a new API version?
Can your API Gateway directly manage the APIs provided by the partner?
These questions help you understand why you should connect your partners' APIs in a partner ecosystem rather than a direct connection from your applications to those APIs.
You don't always need to use all the operations an API provides, especially when a cost is involved. By integrating with partners' APIs in your API Gateway, you can choose to expose only the APIs and operations required for your business processes, preventing the misuse of any operation.
Another vital concern is the security of these APIs. Utilizing API security solutions allows you to establish specific access plans for each customer application. This restricts access to only the necessary operations for each application (principle of least privilege) and prevents the sharing of access credentials provided by your partner across all customer applications requiring access to specific API operations.
For Open APIs that handle sensitive or confidential data, you have the option to configure additional security policies in your API Gateway to encrypt some data or even obfuscate data in the audit logs.
When your partner introduces a new API version, you can efficiently conduct an impact analysis using your API Gateway. This analysis helps identify which customer applications utilize a specific API. Consequently, you can create a suitable work plan to adjust to the new version and cease using the old one.
In an enhanced security setup, your partners can directly handle the APIs they provide in your API Gateway. This involves utilizing security features to control organizations, teams, and profiles. Additionally, it includes establishing visibility rules for the resources and objects within your API Gateway and integrating with external user repositories through protocols like LDAP or SAML 2.0.
It is increasingly common for partner APIs to be monetized. APIs are treated as products of these companies, generating revenue by charging for their consumption, usually based on the number of calls to these APIs.
By including your partners' APIs in your API Management Platform, you can implement adaptive governance to control calls to these APIs, limiting the number of calls in a period (rate limit) or avoiding peak calls (spike arrest), even if you have not yet reached the established limits.
There is also the possibility of configuring a cache policy when calling APIs, avoiding some triggers in the APIs of your partners for operations where the data does not change so dynamically.
This article explores the integration scenario with business partners through an API Management Platform, considering both scenarios where partners provide services consumed by your company and where a business partner consumes APIs from your company. API Platforms offer various benefits, such as security, governance, connections, and data transformations. APIs open a world of opportunity for business transformation with an emphasis on security, control, and cost optimization.