Getting started with APIs isnt always easy, there are tons of documents and techniques that can be used to leverage the idea of building your own APIs. The API, how simple it is, requires a big amount of ground work so as to ensure the API is properly utilized and secured. The API needs to be properly organized, maintained and well documented, such that the API could be consumed correctly.
What is an API?
API or Application Programming Interface is defined as a software term that allows two applications to talk to each other, send messages, request for a resource modification etc. API is used to create a bridge between the two application using a set of protocol that the two application mutually understand.
In modern day world, API is sometimes used interchangebly with Web APIs which means an interface that gives a web url or web based endpoint which can be called anytime using proper HTTP verbs (GET, PUT, POST, PATCH etc.) to perform operation on a particular resource or a batch of resources.
What is API Management?
API Management of
APPSeCONNECT helps an organization to create, maintain and publish APIs for their various data sources
such that the data can be easily accessed and maintained quickly without needing
a separate development team. The API management platform provides an interface which any developer can
access to create or configure services.
Companies today want to make their various data sources to be available through web so that these data sources and services can be consumed by apps running on mobile or desktops. For instance, a company can provide APIs to announce product pricing such that when any change is made to the prices, the API automatically gets an update and notifies the API consumers easily.
API management provides core competencies which will allow developers or implementers to publish,
protect and secure API gateway which follows industry standard protocol
Representational State Transfer (REST) to ensure
the API can be consumed easily from 3rd party applications. This article provides an overview of common scenarios
that involve API Management. It also gives a brief overview of the main components used in the API
What is RESTFul API?
One of the most popular protocol that is prevalent in the market today is REST or RESTFul APIs. The REST is named as Representational State Transfer is very easy to understand and fully utilizes all the advantages of HTTP (Hyper Text Transport Protocol). This means as an API consumer, there is no need to install additional software or tools to consume such APIs.
REST as a protocol gives lot of flexibility to the consumers. It is not tied directly to a particular resource or methods, and hence it can handle multiple types of calls, can return a number of data formats, and even can change the data scheme. Hence, we can say, REST uses correct implementation of Hypermedia.
Planning your API
Planning an API and designing it before actually implementing it on any API stack is sometimes important. Most of the steps should be performed while designing and planning an API such that the API after developed and being consumed by a large number of consumers are less changed and / or revised.
By many means, building an API is just like designing and architecting a new house. You can say, that you need to build a house just like the one you point to, but without any blueprint or proper desing and prepanning, it is high chance that the house would eventually look very different than one you have been intended for. It is important that you create solid foundation of your API, just as you would do it for your house. You should understnad what your API should be able to do, and how it should work, how its scope could be and what are the things you want to hide from external users.
How to design API endpoint security
Security is another important element for any application or service, especially when it is exposed through www (or World Wide Web). There will be eventually a hundred or thousands of applications making calls to the APIs on daily basis. It is important to protect your APIs from attacks.
APPSeCONNECT API Management
APPSeCONNECT being an API management platform allows to create, manage, deploy, maintain APIs for an organization such that the APIs can be easily tracked inside the organization. Let us look how to create or manage API management inside APPSeCONNECT platform.
To create an API at the first place, there are a number of things you require,
- You need an Active APPSeCONNECT Account. Go to Home Page for login details
- You need to know all the data sources that are used for the APIs.
- You need to create or configure APPS on the platform.
Registering an URL
Once all the prerequisites are installed and configured correctly, the first thing that you need to do, is to register your API endpoint URL. To register an url,
- Login to APPSeCONNECT Portal. Go to Home Page for login details
- Go to API management from the sidebar.
- A popup window will open where you will provide the API
URL(Uniform Resource Locator).
Input the details in the window and Select the License type from the drop down list.
- Apache License 2.0 - The Apache License Version 2.0 requires security of the copyright notice and disclaimer.
- BSD 3-Clause Revised License - Prohibits others from using the name of the contributors to stimulate derived products without written consent.
- GNU General Public License Version 3.0 - The GNU General Public License is designed to guarantee freedom to share and change all versions of a program to make sure it remains free software for all of its users.
- The Unlicense - The Unlicense is a template for disclaiming copyright monopoly interest in software in other words, it is a template for dedicating your software to the public domain.
- The BSD 2-clause Simplified License - The BSD 2-clause license allows the user almost unlimited freedom with the software which includes the BSD copyright notice in it.
The registered base url for the organization will be at https://[registrationkey].appseconnectapi.com. Once a base url is registered for the organization, you are ready to implement your first API on the platform.
Register URL is unique to an API and once you have registered the URL, the same URL cannot be registered again
- To create a new API, you have two option : i. Create a Webhook Endpoint (Webhooks are generally POST URLs without Authentication) ii. Create Proxy Endpoint
In this article we will look primarly on Proxy APIs, which allows to create a full fledged API connecting to a specific backend application.
Configuring Authentication Server
To configure authentication server, click on
Authentication button from top menu, a new popup
appears which will allow you to generate Client Id and Client Secrets.
In the popup, you are supposed to select a particular user for which you want to generate Client ID & Client Secret .
Basic authentication standard you are supposed to provide
Authorization header to every request.
Each API will be validated to its users and a separate log will be created.
When authoirization is failed, it will return
401 Unauthorized error response.
Currently, AEC API is supporting only Basic Authentication.
To create a new API, first you need to select
Create API button from the Proxy screen. A new popup will open which will allow user to
create a new API through a wizard.
The Wizard starts with Basic Information screen which corresponds to the Frontend of the application. This section allows the organization to define the API url endpoint, the description, the HTTP Method, Versioning, etc.
The URL generated for the API will be shown while data is created.
Each API comes with a number of policies which can be applied to a certain API such that
during execution, the rules will be applied automatically to that particular API. Here are the list
of policies that can be applied to the
APPSeCONNECT API stack.
- IP Restrict Policy
- Validate HTTP Request Header Policy
- Compress Response Policy
- Response Content Type Conversion Policy
Backend is the main data source of an application. When configuring the data source, primarily, you need to first consider whether the proper data source is picked up or not. To consider picking up correct resource you have two options
- Choosing Backend Application from Pre-packaged Apps
- Creating new backend application connecting your data source
Once the backend is properly selected, you can pick it for your API.
When dealing with backends, it is also important to consider how you will put credentials for the application. To ensure you properly pick the credential make sure you have configured the environments correctly and also provided credentials for the applications created.
Response configuration represents how the response is returned for the APIs. The API generally return in JSON or XML based on the content type of the request. Once a request is made, you are allowed to identify the response from backend server and depending on either success or failure, you can customize your messages which will be returned.
Here the response is configured using custom message.
Some real world API use cases
As it is always important to look at some of the use cases of APIs such that as a business personnel, you can easily understand the proper utilization of an API Management system and also which can help you decide the suitable APIs which suits your business need.
API Connecting on premise data source
Let us suppose you have a legacy database system that collects and collates data from various existing systems, and remains on a central location as archive providing various validation and data intellegence requirements. Read More
Proxy for existing Web API
Proxies help to build an additional layer in between the existing APIs and the server such that you can put a layer on the API gateway which will keep track of API requests, manage your own standard authentication, provide custom interfacing to the backend services, generalize the filters and messages etc. Read More
API connecting to a static file
Files are sometimes less prone to be exposed to the Web as API. Since, if you expose the file to the external world, the consumers would tend to download or upload the whole file at go, and you as a owner of the file would be having less power to change your content.