As SaaS and mobile application development–and cross-software integration and communication–continue to become increasingly important for organizations across all industries to remain competitive today, APIs play a critical role. In fact, APIs dominate digital experiences today, with an average of 220 new APIs published every month, representing a 30% increase over the previous four years.
As more organizations shift to an API-first development strategy to further drive innovation, partnerships and rich end user experiences, the proliferation of demand and consumption of APIs can bring its own challenges, if not properly executed from the get-go. Amidst the ever-increasing rush to develop and publish an API to remain competitive, we see several common issues arise–and often only after the API is rolled out–that negatively impact integrations, future partnership opportunities and end user experiences. Read on for a look at these common challenges and how to address them before you hit publish on your next API.
Infrastructure Costs
One of the biggest challenges when it comes to API design is the ability to manage costs, in particular infrastructure costs. From managing multiple gateway servers and instances, to building an entire API management program from the ground up, we see many common infrastructure approaches that organizations deploy today when designing APIs that lead to unnecessary and often unwieldy expenses.
Critical to avoiding spiraling infrastructure costs is leveraging a single gateway to deploy, govern, secure and deliver global API traffic across various data centers. By using this approach, organizations can reduce man-hours spent managing and synchronizing servers; increase reliability by eliminating the need to manage multiple gateway instances; govern APIs without needing to build and maintain a separate API management platform; and eliminate regional gateway replication.
By considering an API gateway at the onset of a design project to ensure API centric operations (such as authentication, authorization and throttling) are happening at the edge, organizations can proactively control costs and avoid financial surprises.
Scale
To a developer, there’s nothing worse than having a wildly successful API that can’t scale to meet the demand.
Addressing scalability early on in the process can help define both early adoption, future success and the lifespan of the API. However, organizations commonly overlook the need to manage scalability in several ways–including planning for surges in API traffic and managing the volume of API requests consumers can make–which can lead to damaged user experience.
Developers should look to a combination of load testing, authentication, throttling, quota management and API caching at the edge to improve and predict traffic, while preventing infrastructure from being overwhelmed by requests to ensure availability and reliability for consumers. Building in load testing early on can help a developer determine the traffic volume the application can withstand when surges in requests occur.
Quota management can help enforce business service level agreements and limit the number of API requests that a partner is allowed to make. When it comes to API caching, some good places to start include: any resource accessible via HTTP GET, static data, immutable responses, infrequently altered or predictable responses and frequently requested data.
Security
While the commercial value of API development is clear, the reality is APIs can come with great cybersecurity risk. For one, APIs can provide a glimpse into the back-end of an application implementation and even the database it is connected to, providing hackers with new avenues for attacks. As the communication bridge between multiple applications, APIs left unprotected can also increase an organization’s attack surface and expose it to downtime and malicious attacks, including unintended misuse by legitimate users.
Critical to protecting APIs is incorporating security at the infrastructure level with a multi-pronged approach that includes leveraging an API gateway to easily validate, authorize and control the access of legitimate API consumers (and block legitimate users), and endpoint protection against malicious traffic. Additionally, rate limiting–which puts caps on the number of requests per minute or second that API consumers can make–can prevent adversaries from overloading origin in an attempt to bring down API infrastructure in the form of a DDoS attack.
Organizational Decentralization
As speed and agility increase exponentially and API development evolves from microservices to nanoservices with individual team members owning what feels like ever-shrinking components, it’s easy to see how teams can organizationally splinter. While autonomy is important to making the development process flow quickly, decentralization is creating major governance and communication issues within many organizations today.
This lack of governance creates its own challenges related to configuration visibility, changes and duplications across implementations which could lead to wasted resources, data leakage and more. Organizations should consider a single gateway that can expose APIs across multiple, distinct implementations but also provide suitable isolation so as to not affect the performance of other APIs when requests occur, while also providing separate control pages and the ability to set up distinct authorization and access rules for each API. The idea is the APIs are managed in the same decentralized way that is required to meet speed and agility requirements under a centralized infrastructure and governance policies.
Strategic API design is not a simple task, but it is absolutely critical to organizations that desire long-term API success. By seeking cost-effective infrastructure, tapping tools to ensure scalability, building security protocols, practices and policies, and taking steps to more centrally manage the API design process early on will ensure longevity for the API, driving strong partnerships and, ultimately, providing better user experiences.
This article was co-authored by Anthony Larkin, director of product marketing at Akamai. Anthony leads the go-to-market strategy for Akamai’s performance product portfolio. For more than 11 years at Akamai he has been dedicated to helping businesses remove barriers and unlock their potential to better engage users through web and mobile applications.