How to Build, Manage, and Promote APIs

WSO2 API Management Platform

© WSO2 2011. Not for redistribution. Commercial in Confidence.

lean . enterprise . middleware

Chris Haddad VP, Technology Evangelism

Paul Fremantle,

CTO and Co-Founder

Asanka Abeysinghe Director, Solutions Architecture

Business APIs

“APIs provide a way to make resources

available for internal and external

partners to access information and

services.”

API Architecture

An API is a business capability delivered over the Internet

to internal or external consumers

• Network accessible function

• Available using standard web protocols

• With well-defined interfaces

• Designed for access by third-parties

A Managed API is:

• Actively advertised and subscribe-able

• Exhibits high Quality of Service (QoS)

• Available with Service Level Agreements (SLAs)

• Secured, authenticated, authorized and protected

• Monitored and monetized with analytics

A note on our development

process • WSO2 uses an agile, iterative development process

• v1.0 is a Minimum Viable Product

• http://en.wikipedia.org/wiki/Minimum_viable_product

• Just enough features to allow a subset of users to deploy

the system in production

• Each further release is aimed at meeting specific

user requirements

• Not everything we say today may end up in v1.0

• You can follow progress on dev@wso2.org

• And by joining the Beta programme (details at the end)

WSO2 API Management Platform

API Store Features

API Publisher Features

API Management Platform Details

• Full support for web protocols:

• JSON/HTTP(S), REST interactions

• SOAP/HTTP(S), XML/HTTP(S)

• Non-blocking high-performance HTTP transport handles 000s of concurrent connections

• API Key Management based on OAuth2

• Get Key (with or without asynchronous approval process)

• Renew Key

• Revoke Key

• Monitoring and analytics

• Latency, Response Time, Failures vs Success, Total Transactions, Transactions by API Key

• By user specified time period as well as over the last 1m, 5m, 10m, 1hr, 4hr, 8hr, 24hr periods

API Key Use Case

Understanding the flow

• API Publisher adds API into API Manager

• [Optionally provides sandbox endpoint]

• API Governance / Admin approves publish

• …

• API Consumer finds API

• API Consumer subscribes to API Key

• [optional approval process]

• OAuth2 Bearer Key issued

• [optionally issue both production and sandbox keys]

• …

• API Consumer application makes a call

• API Key is validated

• API Key metadata is used to identify:

• Throttling / Rate limiting policy

• Sandbox / Production endpoint

• Event is metered/monitored against the API, Key, IP address, etc

OAuth

• “An open protocol to allow secure API authorization in a simple and standard method from desktop and web applications.”

• Designed to solve the “LinkedIn/Facebook/GMail” problem

• “Valet Key”

• http://tools.ietf.org/wg/oauth/

Adding Security with BasicAuth/OAuth

OAuth 2

• What’s wrong with OAuth 1?

• Crypto requirements are too onerous

• Requires special client side OAuth code

• OAuth 2 Bearer Tokens

• A simple secret token carried over SSL

• Allows OAuth2 keys to be used with CURL and common clients

• OAuth2 Bearer Tokens = API Keys

• A token that identifies the application calling the API

• Separate from the user who creates it

• Limited scope to calling one or more APIs

• Can be revoked/renewed without requiring a password change for the user

• Hence can be embedded in application code

• OAuth2 is not yet final, but is stable and implemented • From the perspective of the API client, no “OAuth2” specific code is required

• Completely implemented by the API Manager

Improvements to the core mediation engine

• The “Gateway” component of the AM is based on our core mediation framework from the ESB

• For API Management there are some key improvements:

• API model

• Rate Limiting per Key

• Passthru performance

APIs and Resources

API Syntax

<api name="AccountManagementAPI" context="/am">

<resource methods="GET" uri-template="/accounts/{accountId}" inSequence="GetAccountIn" outSequence="GetAccountOut"/>

<resource methods="PUT" uri-template="/accounts/{accountId}” inSequence="UpdateAccountIn" outSequence="UpdateAccountOut"/>

</api>

Note that this syntax / model is internal to the API Manager and the average user will not need to know this. Advanced use cases can take advantage

ESB Passthru Latency compared to previous models

Scalable Deployment Architecture

Scalable Analytics Deployment

Demo Use Cases

Roadmap Summary

• API Publishing:

• Documentation/Samples/SDK/Links to external docs

• Tagging

• Track consumers by API

• View Statistics by API

• API Subscribing

• Search - Rate - TryIt - API Lifecycle Management - Recommend - Post a review

• API Versioning

• Manage N APIs via the application concept

• OAuth2 based Key Management

• Throttling/SLA Limits per API

• Integration with BAM for API Statistics

• Skinnable UI

Q2 2012 (Planned)

Q3 2012 (Projected)

• Integration with 3rd party Key Management Systems

• Integration with 3rd party repositories such as GITHub

• Role-based views for usage reports

• User self-registration

• OAuth2 / OpenID based login

• Additional Collaboration Features

• Monetization

* We are actively looking for alpha/beta customers to provide insight and validate the product design

Product Timelines

• WSO2 API Management Platform (WSO2 AMP)

• v1.0 Alpha – April 2012

• v1.0 Beta – May 2012*

• v1.0 Gold – July 2012

• v1.5 Gold - September 2012

• v2.0 Gold - December 2012

Beta Programme

http://wso2.com/products/api-

manager/

Questions?

24

http://www.flickr.com/photos/oberazzi/

Contact us:

http://wso2.com/contact/

Follow us:

http://twitter.com/#!/wso2

Follow us:

http://twitter.com/#!/wso2