One thing every enterprise API creator needs to think about at some point prior to the API going to production is whether an API Management Platform is required.
The main ones that I looked at when we were in the design phase of our API were:
- Mashery (http://www.mashery.com/)
- Apigee (https://apigee.com/)
- 3 Scale (http://www.3scale.net/)
- Layer 7 (http://www.layer7tech.com/)
There are lots of others out there, but these four seem be the most active contributors to the API Management community.
What exactly is an API Management Platform?
All of these platforms all fundamentally do the same thing, but each have their nuances and provide different features and functions.
Generally they act as a proxy between your API and the customer, consuming application, or partner.
These platforms protect your back end services by limiting the customer to a certain number of allowed queries per second (QPS) or queries per day (QPD).
This prevents a user from inadvertently performing a DoS through poor coding or some form of attack. If they can only get through a small number of QPS, they'll bring down the API Management Platform before they'll bring down your service.
Along with this, they also generally provide:
- API Key & Authorisation Management
- Usage Reporting and Analytics
- Live documentation (Swagger/io-docs)
- Developer Community Management
- Billing and Payment Management
Why not just build it myself using mod_qos?
Our network administrator was adamant (and still is) that he could build all of this for me with without the need to pay an external vendor.
Wrong. Do you really feel like designing all of the features and functions specifying exactly what you need. How long is that going to take with all of the other stuff your network guy (or girl) has to work on? What about ongoing support, maintenance, new features... don't you have an API programme to be worrying about?
The beauty of these SaaS/PaaS providers is that they've done the thinking for you, and they are generally experts in the area, so they know what you want before you do!
They also generally have great Partner and API Growth programmes, so if you can get your API on their marketing ticket, then you're kickstarting your growth before you've even lifted a finger.
We had web demo's from both Mashery and Apigee, and in the end we ran with Mashery.
Implementing an API Management PlatformThe main reasons we chose Mashery was that it seemed very simple and easy to use, their price point was right for us, they had all of the features out of the box that we were looking to implement, and they could stand up an environment for us quickly.
They've got some really smart people and they will give you some valuable insights into usage patterns, similar use cases and implementation best practices.
When implementing an API management platform, you'll also need to think about:
- The UI of your developer portal; they can help you with implementation, but the design is up to you
- Sandboxing/Trial access for your developers and the associated registration flow
- Documentation of your API; are you just going to use swagger/io-docs or are you going to manually write the documentation.
- Network level access; whitelisting/blacklisting and firewalls.
- Change Requests, customisations can be difficult to get approved, and can be costly
- VSMT isn't really supported, so stick to generic content types
- It can be harder to debug issues (timeouts, network access, authentication)
- Their downtime (if any) may reflect poorly on your API
Their whole purpose is to assist your company in building out your APIs, so it's in their best interests to help you grow.
It will assist you with;
- Speed to market
- Accordance with best practices
- Out of the box reporting, key management and developer portal/CMS
- Network opportunities with other organisations
However, this may come at an up-front cost, and a bit more effort to get things going.
Originally published on jordwalsh.com on 7 February 2015 and cross posted by Mashery (https://www.mashery.com/blog/api-management-platforms-do-i-need-one)