API Overview
Application Programming Interface (API) is a common mechanism for an organization to expose content (resources or data) from one application to another for a specific purpose within an enterprise or over the internet.
The application providing a content is known as a producer or a called application. The application consuming the content is known as a consumer or the calling application. Effectively, an API is a piece of code acting as an interface or a medium enabling content to be transmitted from the producer to the consumer.
An API is made of two components: a communication protocol specification to enable the transmission of content from one application to the other, and a piece of code that utilizes the communication protocol specification to contextualize the transaction between the producer and the consumer.
There are two reference architectures utilized by APIs for the communication protocol specification, viz., REpresentational State Transfer (REST) and Simple Object Access Protocol (SOAP). REST is based on HTTP/URL and SOAP is based on XML. REST-based APIs are the more popular of the two due to its simplicity of use and lightweight nature.
API lifecycle management consists of API development and deployment involving API design, API development, API testing, API deployment, API deprecation and API retirement. API testing involves testing the API build’s functionality, performance and security. APIs require backward compatibility and strong documentation.
An API physical ecosystem consists of the following key items:
> An API development platform where the API code is developed,
> An API portal is where all APIs are deployed and onboarded,
> An API gateway is a middleware component positioned in front of the API portal and publishes the API URLs for consumption acting as an entry point or interface between the external and internal worlds (similar to a load balancer),
> An API endpoint is the physical location or server where the called application is located and enables the communication between the calling application (via the API gateway) and the called application. Specifically, it is denoted by a URL that provides the location of a resource on a server. A called application can have multiple API endpoints/URLs to provide different services to the calling application,
> A database that the calling application in the API endpoint may interact with.
A typical API communications workflow is as follows:
Client (calling application) <-> Web Application Firewall (WAF) <-> dedicated API gateways for each use case<-> API portal <-> API endpoint (called application) <-> Resource or Data
Since API usually enables sharing of business content (data or resources) between two applications, API security is of utmost importance. Vulnerable APIs can be exploited to steal sensitive data from corporate environments or exposed users’ personal data. API authentication and authorization take key precedence here.
It is obvious that APIs play a pivotal role in the revenue share of an organization (rightly called the ‘API Economy’). APIs’ functionality, performance and security need to be constantly monitored for effectiveness and avoid impact to revenue.
