API strategy best practices

Application programming interfaces (APIs) are invaluable to modern organizations, used to connect and integrate applications, systems and databases, orchestrate workflows, accelerate the development and distribution of new apps and services, create modernized interfaces for legacy systems and much more. The average enterprise has over 613 API endpoints in production.

However, if APIs are created, deployed or incorporated in an ad hoc manner, organizations risk leaving value on the table or worse, leaving the organization vulnerable to cybersecurity risks. A comprehensive API strategy helps ensure that an organization fully capitalizes on its APIs and that APIs work in service of shared business initiatives.

An API strategy is a high-level plan that outlines how an organization will use APIs to achieve business goals. It establishes guidelines and policies for API design, development and deployment, API management, security and more. API strategy helps ensure that an organization’s APIs do not exist in isolation but work together in service of greater business needs and objectives.

An API strategy accounts for an organization’s technical, security and compliance needs, while helping to promote a sustainable, predictable and centralized system for implementing new APIs in the future.

In short, API strategy helps organizations design and manage more efficient, valuable and secure APIs. API functionality is so extensive, varied and rapidly evolving that stakeholders need to have a concrete API strategy to maintain cohesiveness, efficiency and effectiveness in API projects.

Because there are many types of APIs—and even more ways in which they are used)—and they play such an integral role in modern enterprises, organizations must have a clear and comprehensive API strategy to maintain order in their digital ecosystem, avoid wasted resources and security risks and ensure that their APIs are delivering as much business value as possible.

A robust API strategy can provide a better experience for developers, improve compatibility and scalability, help organizations monetize their APIs and more. API strategy is also an important part of achieving holistic goals such as digital transformation.

Digital transformation is a strategy that is aimed at incorporating digital technology across an organization. It is a complete overhaul of processes, products, operations and the technology stack to enable continual, rapid, customer-driven innovation. It’s not just about replacing certain processes or updating services; it’s a full business transformation that places technology at the heart of an organization.

APIs—and a well-formed API strategy—play an outsized role in driving this transformation. With technology at the center, it is APIs that are so often used to connect technologies across an enterprise and to connect users to enterprise applications, systems and services.

APIs enable organizations to deliver more services to more users (opening up new revenue streams), to make these services faster and improve the overall user experience, to facilitate data exchange between internal systems, databases and applications, to connect resources hosted on different cloud providers, to modernize legacy IT infrastructure and more. 

A strong enterprise API strategy includes thorough API documentation (read more on how organizations can discover APIs here) that clearly explains how an organization’s APIs are built and used. A developer portal can be a valuable tool for making both front-end and back-end APIs available, organized and discoverable for developers. Without a good API strategy, developers might struggle to find the tools they need, which can slow production and implementation and result in API redundancy and wasted resources.

APIs must be monitored and updated to keep pace with new software and software updates. A well-developed API strategy generally includes plans for the full API lifecycle: ideation, API design, testing, implementation, maintenance and, if needed, discontinuation. Such a process drives consistency in API compatibility with the latest software versions and reduces the risk of compatibility-related crashes or unpredictable behavior.

Technology’s breakneck evolution means that nearly every organization relies on some kind of legacy service, software or database. Updating these resources is often costly and time-consuming.

While modernization efforts advance, organizations can use APIs to modernize the interface to these systems and databases. This enables organizations to integrate legacy resources—and leverage the valuable data within them—without having to wait for the entire system to be updated.

For example, a huge store of customer account records might be housed in a database that is no longer used by the rest of the company. Rather than painstakingly migrating all that data to a new system (or while that migration is underway), an API can be used to enable other parts of the system to communicate with the database and request information.

An API strategy makes sure that APIs are designed, deployed and documented in a way that orients the business toward stated goals and fits with broader business strategy. API strategy helps create a roadmap for API development and distribution and a plan that yields more cohesive and streamlined business models and greater API value.

APIs are often used as an attack vector and introduce a security risk that must be addressed. An API strategy that details organizational security standards and how an organization will prevent the misuse of its APIs can reduce this risk. Tools such as API gateways and techniques such as authentication or rate limiting are often used to do so.

Rate limiting is used to reduce the risk of brute force or distributed denial of service attacks (DDoS attacks). Rate limiting blocks or discards requests that pose a volume risk and prevents systems from being flooded with requests. There are automated functions that can be even more precise, as well. For example, organizations can set rate limits for certain IP addresses with high request activity that has been flagged as suspicious. 

Authentication techniques are also incorporated into the API security strategy to make sure that only safe and approved requests are fulfilled. OAuth, or open authorization, is a protocol that uses an access token that grants users access to previously approved data or services without the need to log in. API keys, which are a unique string of characters that are known only to the client and the server, are another popular tool that organizations use to keep APIs secure.

Organizations can use automated testing platforms that continuously check system security to supplement and improve manual checking and testing.

In a microservices architecture, applications are composed of many loosely coupled and independently deployable smaller components or services. These component parts often communicate through APIs.

Microservices enable greater flexibility and versatility, but can also add complications, including compatibility issues, latency issues due to greater quantities of network connections and increased data logging. In effect, a microservices architecture brings more freedom, but also an increase in complexity.

An enterprise API strategy helps establish the API consistency and discoverability that is needed for fast and efficient microservices applications.

An API-first strategy places a high priority on APIs as business assets. In this conception, APIs are the keystones around which developers write code, rather than features to be added after software is developed. It is a popular approach in digital-first strategies because it emphasizes the integration and communication between enterprise systems, databases and applications.

An API-first strategy provides several benefits:

• Reduces the risk of API redundancy
  
  
• Promotes the reuse of APIs
  
  
• Makes APIs discoverable in a centralized location for easy search and adoption
  
  
• Makes API ecosystem more efficient
  
  
• Reduces the amount of time developers spend debugging code
  
  
• Enables greater scalability
  
  
• Enables easier API maintenance and updates
  
  
• Provides a competitive business advantage in an increasingly API-heavy world
  
  
• Enables development teams to work in parallel on multiple APIs at once, collaborating in real-time.

API strategies look quite different depending on the business goals and needs of each individual organization. But there are some larger concepts and components that make for strong API strategies and many API strategies are built using the following steps:

Strategy development begins with a simple question: what is the organziation trying to achieve with its APIs?

These goals should dovetail with other goals set by the organization, whether that’s implementing a digital transformation, optimizing workflows for developers, increasing metrics such as user base, customer experience or monetization, increasing operational efficiency — or, of course, all of the above.

A thorough cataloging of potential use cases can provide direction for an effective API strategy.

Does the organization want to easily share data among internal teams? Make it easier for developers to quickly create and improve software? Connect customers or users with data and services? API strategies change based on the precise needs of an organization, so it makes sense to start off with a simple question: how will APIs be used?

API governance refers to the comprehensive set of standards, policies and practices that direct how an organization develops, deploys and uses its APIs.

Ideally, an organization outlines its governance first and then designs APIs in accordance with those rules, rather than the other way around. In drafting this governance, teams consider factors such as organizational goals, existing technologies and what technologies the organization might incorporate in the future.

A governance framework might also outline what type of APIs are used for different use cases. There are several different API protocols, architectural styles and languages, each with strengths and weaknesses. These include¹:

Remote procedure call (RPC) is a protocol that enables a program to request a service from another program on a different computer using essentially the same code as if it were requesting a service locally.

RPC provides the high-level communications paradigm that is used in the operating system. It presumes the existence of a low-level transport protocol, such as transmission control protocol/internet protocol (TCP/IP) or user datagram protocol (UDP), for carrying the message data between communicating programs.

RPC implements a logical client-to-server communications system that is designed specifically for the support of network applications. ²

Types of RPC protocols include XML-RPC, JSON-RPC and gRPC.

Representational state transfer (REST) is a set of web API architecture principles. REST APIs—also known as RESTful APIs—are APIs that adhere to certain REST architectural constraints. REST APIs use HTTP requests such as GET, PUT, HEAD and DELETE to interact with resources. REST makes data available as resources, with each resource represented by a unique URI. Clients request a resource by providing its URI.

REST APIs are stateless—they do not save client data between requests. It’s possible to build RESTful APIs with SOAP protocols, but practitioners usually view the two standards as competing specifications.

GraphQL is an open source query language and server-side runtime that enables clients to target exactly the resources they need. Unlike REST, which typically uses multiple endpoints to fetch data and perform network operations, GraphQL APIs use a single GraphQL endpoint to give clients a precise, comprehensive data response in a one round trip from a single request, eliminating over- and under-fetching issues.³

However, GraphQL can introduce more complexity than needed for simple applications.

Simple object access protocol (SOAP) is a lightweight XML-based messaging protocol specification that enables endpoints to send and receive data through a range of communication protocols including SMTP (simple mail transfer protocol) and HTTP (hypertext transfer protocol.) SOAP is independent, which allows SOAP APIs to share information between apps or software components running in different environments or written in different languages.

API management platforms are tools that are specifically designed to access, control, distribute and analyze APIs, all in one centralized location. API management platforms enable enterprises to share documentation and tools among teams, can strengthen data security, meet compliance and governance standards and support digital transformation initiatives.

API management platforms often include a developer portal, which acts as a one-stop shop for developers to browse, access and share API documentation. This solution can sidestep the issue of multiple repositories, defunct libraries and mysterious ownership credentials in API and software development: it’s all in one place.

API platforms also include valuable analytic tools. This centralized platform is used to monitor API usage, response time and overall performance and help detect API vulnerabilities.

Finally, the use of API management platforms enables full API lifecycle management. The API lifecycle involves many different stages: creation, development, testing, publishing, maintenance, retirement. An API platform can collate all of those stages in one place, which helps provide organizations with visibility into large, complex API environments.

Because APIs provide access to data and services, whether to internal or third-party clients, security should be a major consideration through all stages API strategy development. Faulty API security can result in cyberattacks, data breaches and other unauthorized access. An API strategy must address how an organization will make sure that APIs are secure and compliant, detailing approaches to authentication, encryption, validation, monitoring, regular updates and more.

A complete API strategy includes plans for what happens after APIs are created—how they will be monitored, maintained, analyzed, tested and updated.

It’s vital to monitor API usage for several reasons, including to:

• Make sure that APIs are working properly and bug-free
  
  
• Analyze traffic patterns to check for unusual and potentially dangerous, behavior
  
  
• Confirm that all APIs are up to date
  
  
• Stay alert for potential duplication
  
  
• Remove APIs which are defunct or have been replaced

An API strategy should detail how an organization will promote visibility over its entire API environment, how insights from analytics and user feedback will be incorporated to improve API performance, how updates will be implemented and documented and how, if needed, APIs will be retired.