WSO2Con EU 2015: API Management Strategies and Best Practices
3 likes910 views
This document provides information on APIs and API management. It defines what an API and managed API are. It describes the roles of API creator, publisher, and consumer. It also discusses API design, the Richardson maturity model, hypermedia controls, API definition with Swagger, API versioning, security with OAuth 2.0 and JWT tokens, access control with scopes, analytics, throttling, deployment, clustering, caching, and integration.
![[APIdays Singapore 2019] Managing the API lifecycle with Open Source Technolo...](https://cdn.slidesharecdn.com/ss_thumbnails/apidayssingapore-managingtheapilifecyclewithopensourcetechnologies-190425063915-thumbnail.jpg?width=560&fit=bounds)
![[WSO2Con EU 2017] How API Management at Suva is Helping in Reducing Costs to ...](https://cdn.slidesharecdn.com/ss_thumbnails/suva-final-171108114608-thumbnail.jpg?width=560&fit=bounds)
![[APIdays NY] Managing the usage of Asynchronous APIs: What does it take?](https://cdn.slidesharecdn.com/ss_thumbnails/apidays-2021-async-210809082511-thumbnail.jpg?width=560&fit=bounds)
Ad
More Related Content
What's hot (20)
Viewers also liked (9)
Ad
Similar to WSO2Con EU 2015: API Management Strategies and Best Practices (20)
![[Workshop] API-driven Integration](https://cdn.slidesharecdn.com/ss_thumbnails/workshopapidrivenintegration1-200207075321-thumbnail.jpg?width=560&fit=bounds)
Ad
More from WSO2 (20)
![[Roundtable] Choreo - The AI-Native Internal Developer Platform as a Service](https://cdn.slidesharecdn.com/ss_thumbnails/choreo-deck-250328074645-511dded7-thumbnail.jpg?width=560&fit=bounds)
Recently uploaded (20)
WSO2Con EU 2015: API Management Strategies and Best Practices
- 3. ● An API is a business capability delivered over the Internet to internal or external consumers ○ Network accessible function ○ Available using standard web protocols ○ With well-defined interfaces ○ Designed for access by third-parties ● A Managed API is: ○ Actively advertised and subscribe-able ○ Available with SLAs ○ Secured, authenticated, authorized and protected ○ Monitored and monetized with analytics
- 4. ● API Creator - Design, Implements, Manages and Versions API ● API Publisher - Publishes, Promotes and encourages consumers to adopt APIs ● API Consumer - An Application Developer, understands the API interface definition.
- 7. Richardson Maturity Model Read more in http://martinfowler.com/articles/richardsonMaturityModel.html
- 9. Swagger Swagger is a simple yet powerful representation of your RESTful API. Why do I need it ?
- 12. API Versioning
- 13. Securing an API OAuth 2.0 ● Has become the de-facto standard for API Security ● Primarily operates on an Access Token ● Introduces Grant Types and Token Types ● OAuth 2.0 specification defines 4 major grant types ○ Authorization Code ○ Implicit ○ Resource Owner Password Credentials ○ Client Credentials
- 14. • Recommended for web applications or native mobile applications capable of spawning a web browser Authorization Code Grant
- 15. • Mostly used by Javascript client running in the web browser Implicit Grant
- 16. • Used by trusted Client Applications Resource Owner Password Credentials Grant
- 17. • Two-Legged OAuth. The Client becomes the Resource Owner Client Credentials Grant Type
- 18. Access Control with Scopes • OAuth2.0 Scopes, a mechanism to control what access tokens can do with Resources Defining a Scope
- 19. Access Control with Scopes • Applying a scope to a Resource
- 20. Fine Grained Access Control
- 21. Throttling API Usage • Why do you need to throttle ? • “Rate Limiting”. • Let see how to throttle API usage with APIM. ( demo )
- 23. JWT Token Client / Partner Gateway Key Manager Store Publisher Back EndJWT Token JWT Token
- 24. Analytics Operational Purposes Know when your system is heating up Know when to scale up/down For Alerts/Notifications Threat detection Business Purposes Identify user types/categories by device (User Agent) Identify usage by Geographical location Know when to promote/retire your APIs
- 25. Analytics in API Manager Back End Service Client / Partner Event Streams Event Streams STAT DB Aggregated Data Statistical data retrive for display 1 2 3 3 4 5
- 26. Identity Federation • Useful in scenarios where you need to authenticate users through an Identity System that’s already in place
- 27. Integration with external OAuth servers • Enterprises which already have an identity system capable of doing OAuth might be interested in integrating the API Management platform with it.
- 28. API Facade Pattern • It is an architectural best practice to use the Facade pattern to clearly separate out the API layer and mediation layer to facilitate better separation of concerns
- 29. Deployment FAQ ? • How many servers do I need to achieve my performance requirement ? • How to scale with time ? • Securing the deployment ?
- 30. Deployment Performance Numbers. • 1300 TPS for EC2 m1.large. • Upcoming release AM 1.9 has shown more than 4000 TPS for a tuned setup. We will be benchmarking on EC2 after the release.
- 31. Deployment Client / Partner Back End
- 32. Clustering Step 1 Client / Partner Gateway Key ManagerStore Publisher Back End
- 33. Clustering Step 2 Client / Partner apimgt db Gateway Key ManagerStore Publisher Back End greg db user db
- 34. Clustering Step 4 Client / Partner Back End GW Manager GW Worker Nodes SVN
- 35. Clustering Step 5 Client / Partner Gateway Cluster Key Manager Cluster Store Back End Publisher
- 36. Caching Step 6 Client / Partner Gateway Cluster Key Manager Cluster Store Back End Publisher
- 37. Securing Deployment Client / Partner Gateway Cluster Key Manager Cluster Store Back End Publisher DMZ
- 38. Integration and Automation • We are working on a complete RESTful API for API Manager. • Can find the swagger definition at http: //hevayo.github.io/restful-apim/#/