Technical Brief
A Checklist for
Every API Call
Managing the Complete API Lifecycle
Hex Hex
#FC4C02 #54585A
� A Checklist for
Every API Call
Table of Contents White
Introduction: The API Lifecycle | 2
Managing the Complete API Lifecycle | 3
Security professionals
API developers
Operations engineers
API product or business owners
Apigee Edge | 7
A Checklist for Every API Call: Managing the Complete API Lifecycle 1
© CC BY-SA
� A Checklist for
Every API Call
Introduction: The API Lifecycle
White
An API gateway is the core of an API management People and the API Lifecycle
solution. But it’s not the whole solution. To learn about the
The following people or teams are stakeholders in the API
components of comprehensive API management, see the
lifecycle and therefore care about the functionality of an
eBook: The Definitive Guide to API Management.
API an API gateway and an API management solution.
When it comes to the API gateway, however, the most
�Security architect or CISOs
important role it serves is ensuring reliable processing of
Developers or enterprise architects
every API call.
Operations engineers
An API gateway manages the entire API lifecycle. It is
imperative that it enables the people responsible for it to API business or product owners
effectively and securely deliver APIs that are easy to use
While most API gateway solutions can do basic API
by app developers.
proxying, APIs have become the fabric of the digital
enterprise, so companies need functionality that
addresses the concerns of all the stakeholders. The key
to helping these people do their jobs? Provide an easy-to-
Design configure tool and extensibility.
Monetize Develop
Analyze Secure
Monitor Publish
Scale
A Checklist for Every API Call: Managing the Complete API Lifecycle 2
© CC BY-SA
� A Checklist for
Every API Call
Managing the
Complete API Lifecycle White
Depending on their roles and responsibilities the primary stakeholders in the API lifecycle are concerned about a number
of different use cases. An API management solution provides the features and capabilities that enable each stakeholder.
Security professionals
Security is paramount for companies when they expose their backend systems or proxy existing APIs.
Given that customers or consumers use first-party or third-party apps on mobile devices, partners do
transactions, and internal developers build apps on sensitive data, companies need to view security from
the perspective of an API call: end to end.
An enterprise should assess potential risk and how to secure and mitigate those risks. The following is a list of security
use cases and the API gateway features needed to address them.
Use case Definition Required feature
Mutual authentication SSL, Authentication of endpoint
Endpoint authentication
VPN, IP whitelisting from which API call originates
Authentication of process
API key validation API caller authentication
from which API call originates
Authorization of process
API key authorization API caller authorization
from which API call originates
API key & request/response
Attributing API calls to right callers API caller auditing
logging
ers
OAuth access token Authentication of end user
API user authentication
validation involved in API call
OAuth Authorization of end user involved
API user authorization
scopes check in API call
User & request/response Attributing API calls to correct
API user auditing
logging end users
A Checklist for Every API Call: Managing the Complete API Lifecycle 3
© CC BY-SA
� A Checklist for
Every API Call
Managing the
Complete API Lifecycle White
Security professionals (Continued)
Use case Definition Required feature
Bots, SQL injection,
virus, compromised user, Screen requests for malicious intent Threat protection
compromised API key
Confidential data screening,
Ensure sensitive data is not
PII data screening, data Leakage prevention (compliance)
accidentally or intentionally leaked
masking
Encrypted transmission and
SSL, storage encryption Data encryption
storage of data
API developers
Productivity is key for API developers. They want to use familiar tools and languages and configure things
easily, and they care deeply about the experience of those who’ll build on the API. API developers have to
ensure that the API behaves as intended and they need to provide quick and precise debugging and optimize the backend
resources that serve the API requests. Here’s a list of the use cases and features that are important for API developers.
Use case Definition Feature needed
Implement APIs using multiple
Extensibility (Java/Javascript)
Service callouts calls to other APIs and aggregate/
including support for Node.js
transform data between the calls
XML to/from JSON, Implement transformation
Request/response transformation
SOAP to REST between popular formats
Path validation,
parameter validation, Validate requests Request validation
header validation
ers
Warnings, error logs, Log intermediate status/data
Logging
debug logs, info logs during request/response processing
A Checklist for Every API Call: Managing the Complete API Lifecycle 4
© CC BY-SA
� A Checklist for
Every API Call
Managing the
Complete API Lifecycle White
API developers (continued)
Use case Definition Feature needed
Thread pools, exception Collect metrics specific
Metrics collection
counts, object counts to API implementation
Load-balance calls made to other
Round robin, least
API implementations from a given Target load balancing
loaded, retries API implementation
Route around issues when making
Fallbacks, back pressure,
calls to other API implementations Target routing
multiple implementations from a given API implementation
Cache data used in
Caching Data caching
API implementations
Encrypt data used in
Encryption, masking Data encryption
API implementations
Track usage of specific data
Custom usage tracking or logic resources within Usage tracking
API implementations
Custom usage records, Track subscriptions or limits
Subscription & limit checks
custom limit enforcement specific to API implementations
Custom caller journey, Track journey specific
Journey tracking
custom user journey to API implementations
Store credentials required
API access keys, database to access data or another API
Credential store
credentials, certificate keys implementations from a given
API implementation
Key value map,
Persist the data required
document store, Data persistence
by the API implementations
graph, relational store
A Checklist for Every API Call: Managing the Complete API Lifecycle 5
© CC BY-SA
� A Checklist for
Every API Call
Managing the
Complete API Lifecycle White
Operations engineers
Operations teams are accountable for the reliability of the service, both internally and externally. Managing
the service level agreements (SLAs) for the APIs is a priority. Operations teams also need tools that enable
them to provide the best service for developers without major increases to infrastructure costs.
Use case Definition Feature needed
Caching of responses to
Caching Response caching
avoid reprocessing requests
Access logging,
Logging of requests and responses Request/response logging
custom logging
ers
Collecting metrics related
Latencies, status codes Metrics collection
to requests and responses
Rate limits, spike arrests, Implementing quality-of-service
Traffic management
concurrency limits, quotas management through traffic shaping
Round robin, Supporting clustered
Load balancing
least-loaded, retries API implementations
Retries, fallbacks,
Routing around faults or
back pressure, multiple Request routing
latencies based on context
implementations
Progressive rollout, Splitting traffic between
Traffic splitting
experimentation two different implementations
A Checklist for Every API Call: Managing the Complete API Lifecycle 6
© CC BY-SA
� A Checklist for
Every API Call
Managing the
Complete API Lifecycle White
API product or business owners
For the API product or business owner, it’s crucial to relate the APIs to the business imperatives and results
in a meaningful way and therefore to instrument APIs to capture the right metrics and measure the impact.
More advanced needs include the ability to have rate cards and charge developers who consume the APIs.
Use case Definition Feature needed
ers
Per-caller tracking,
per-user tracking, Track usage of API calls Usage tracking
per-API tracking
Subscription Validate subscriptions to APIs and
Subscription & limit checks
validation, limit enforcement ensure limits have not been reached
Caller journey, user journey Track journey through API calls Journey tracking
A Checklist for Every API Call: Managing the Complete API Lifecycle 7
© CC BY-SA
� A Checklist for
Every API Call
Managing the
Complete API Lifecycle White
Apigee Edge
Whether you’re a security architect, developer, operations engineer, or API product owner—or you require different
combinations of the features required for these roles—Apigee Edge has you covered. With more than 30 preconfigured
policies, the ability to use common languages like Java, JavaScript, Python, and Node.js, and built-in metrics collection and
reporting, Edge offers the powerful extensibility needed to build and manage every aspect of an API program.
USE CASES TO MANAGE THE API LIFECYCLE
API developer Security professional Operations engineer API product owner
• Service callouts •M
� utual authentication SSL, • Caching • �Per-caller tracking,
VPN, IP whitelisting per-user tracking,
• XML to/from JSON, • �Access logging,
per-API tracking
• API key validation custom logging
• SOAP to REST
• �Subscription validation,
• API key authorization • Latencies, status codes
• �Path validation, parameter limit enforcement
validation, header validation •A
� PI key & request/ • �Rate limits, spike arrests,
• �Caller journey,
response logging concurrency limits, quotas
• �Warnings, error logs, debug user journey
logs, info logs •O
� Auth access token • �Round robin, least-loaded,
validation retries
• �Thread pools, exception
counts, object counts • OAuth scopes check • �Retries, fallbacks, back
pressure, multiple
• �Round robin, least •U
� ser & request/response
implementations
loaded, retries logging
• �Progressive rollout,
• �Fallbacks, back pressure, •B
� ots, SOL injection,
experimentation
multiple implementations virus, compromised user,
compromised APIkey
• Caching
•C
� onfidential data
• Encryption, masking
screening, PII data
• Custom usage tracking screening, data masking
• �Custom usage records, • SSL, storage encryption
custom limit enforcement
• �Custom caller journey,
custom user journey
• �API access keys, database
credentials, certificate keys
• �Key value map, document
store, graph, relational store
A Checklist for Every API Call: Managing the Complete API Lifecycle 8
© CC BY-SA
� A Checklist for
Every API Call
White
About Apigee Where to go from here
Apigee delivers an intelligent API platform to accelerate For more on the anatomy of a sophisticated API
the pace of digital business. We help companies – from management solution, best practices for API security,
disruptive start-ups to the Fortune 100 – use their getting insights from API analytics, extending your basic
enterprise data and services to create connected digital APIs via BaaS, and more, download the eBook,
experiences for customers, partners, and employees. This “The Definitive Guide to API Management”.
is digital business.
The Apigee Edge product helps developers and
For more information, visit apigee.com. companies of every size manage, secure, scale, and
analyze their APIs. Get started with the right Apigee
Edge for your size business.
For additional resources,
visit apigee.com/about/resources/
Share this eBook
A Checklist for Every API Call: Managing the Complete API Lifecycle 9
© CC BY-SA
