While it is really important to build the right API and to build it right, it is equally important to make sure that it’s running right, or to be more grammatically correct, to ensure that your API is behaving correctly.
By now you should have planned and built, a clean simple API that delivers clear business value to give you competitive advantage. Now you’ve reached the point where the rubber meets the road, and as Netflix learned it can cost you money when things go wrong. As Kin Lane describes in his API Evangelist blog entry The Battle for Your API Proxy, there are a whole range of non-functional requirements it has to meet. Kin lists a bunch of them, but I’m going to break them down into a few smaller groups of capabilities:
Security – an interesting balance. If you get too carried away with security then your API will become very hard for developers to work with. If you make it super easy for developers to work with you will likely increase security risks. API security covers too broad an array of topics for this post, we will cover things like authentication, privacy, integrity, non-repudiation and the techniques and standards available to address them in another post. For now let’s just point out that security problems could be the death of your API
Monitoring – covers a range of sins from simple availability monitoring through latency and throughput, message logging, fault tracking, alerting, root-cause analysis and much more. A monitoring solution allows you to understand who is using your API, how they are using it, how your API is behaving and allows you to plan for changes to capacity as and when needed.
Performance Management – there are lots of different names for this and lots of different capabilities I’m grouping together under this one heading. Performance Management includes things like result paging and caching to improving the performance of consumer applications, quota management and throttling to protect your API against overuse and allocate quotas to different consumer apps, load-balancing to even out traffic distribution, and even dynamic provisioning or more capacity as and when needed.
Reporting – your monitoring solution collected a bunch of metrics and usage data for you, now you have to do something with it. A Reporting solution allows you to analyze your API usage to look for trends you can monetize, or simply to generate usage reports for billing purposes. You can use longer term performance trend reports to manage capacity planning and to predict events that might cause issues.
At the end of the day, you could build some of these capabilities into your API directly (the exceptions being things that require a proxy, like quota management and load-balancing), but why would you want to. You should be focused on delivering the best API you can deliver, and should delegate the non-functional requirements to an API Management platform that excels at delivering these things. Whether you use a SaaS solution, on-premise solution or a hybrid approach should be entirely up to you.