API Management Strategy
- Robust strategy is mandatory
- Allowing users to create, manage, secure, analyze and scale APIs is important
- Managing the architecture, performance and security is critical
- Managing and engaging developers is crucial
- Permitting developers to rapidly create PIs from existing data and service is essential
API management infrastructure
- API gateways are platform for hosting API proxies
- API developer portals allow for the usage of published APIs
- API management UIs permit the management and development of APIs, API proxies and API environments
API management features
- Analytics and statistics help understand how the API is being used
- Developer friendly documentation with examples is crucial to encourage developers to use the system
- Engaging the API consumers, developers and partners is extremely important for on boarding
- Sandbox environments allow for developing and testing code
- Support should be provided for public and private cloud
- Identify and access management should be provided for security
- Traffic management and caching features should be provided
- Support should be provided to monetize the API
- Support should be provided for legacy systems
- The service should be available, scalable and redundant
API Management Best practices
- Ensure the system allows for authorization, billing and payment for API usage
- Provide an easy to use environment for user to integrate and compose APIs
- Permit the management of the API life cycle and SOA governance
- Provide users with a unique API key that can be used to track and set permission for SLAs
- Enable throttling and configure SLA tiers to help prevent abuse
- Ensure security detection and prevention are available to prevent malicious functions
- Standards need to be enforced during the API life cycle
- APIs should be easy to read about, discuss, and test
- Cataloging should be performed to enable API discovery and use
- APIs need to be monitored to track usage, errors and malicious attacks
- An API portal should be available to engage with developers and B2B partners
- APIs should be ritualized and protected using an enterprise gateway
- Notification should be sent when an event impacts an API
- APIs should be searchable using custom taxonomies or search functionality
- API traffic should be monitored to track metrics to track metrics for monetization purposes
API monitoring strategy
- Determines if APIs are available and functioning at expected
- Works together with CI/CD automatically test new version of
- Provides important performance data to the developers and operational teams
Tool selection
- The tool needs to be intuitive in order to use it to its full potentials
- Existing scripts created with API tools should be reusable and importable
- Scheduling should be available to run monitors at peak times and various intervals
- Sequencing and assertions should be available to ensure that APIs return the correct data
- The tool should make data easy to consume and share to provide actionable insights
- The tool should be adaptable and easy to integrate into your existing infrastructure
- The tool should be able to alert he users when something goes wrong quickly and using multiple methods
Methods for creating API monitors
- Import open API specification or swagger specification files
- Import test scripts from soapui or ready API
- Create new API endpoint monitors using a url and add assertions and validations
- Create a chained API endpoint monitor using endpoints, urls and validations
Advantages of reusing functional tests
- Real API functionality can be continuously tested
- Existing functional tests already have assertions and more descriptive error messages
- Functional API monitors imitate real usage and provide insight to technical operations
- Using a single tool for testing and monitoring APIs decreases expenses and the learning curve
API monitoring best practices
- API availability needs to be tracked and logged
- API transactions and authentication need to be monitored
- Data collected from monitoring needs to be bench marked against competitors
- To prevent SLA breaches, alerts should be sent for any outages or performance issues
- Tests need to be configured with request headers for simulating and API transaction
- Basic HTTP authentication needs to be supported to ensure secure and reliable data
- Multiple APIs need to be monitored if they are part of an application to determine any performance bottlenecks
- Analyse performance trends on monitoring data collected over time
- APIs need to be tested to ensure the data is correct and in the right format
- Integrate the API testing system data with the monitoring systems
- API monitoring for performance and functional up time testing can help avoid security breaches
- Comprehensive end to end testing and monitoring should be performed understand the big picture
- Functional monitoring should be performed at regular interval to reduce human error
- Business activity should be monitored to determine throw users are deriving business value from the APIs
- Metrics need to be tracked to determine how much money is created from the API for both client and business
- Functionality should be available for clients to write their own customized tests
API management tools
Tool selection criteria
- Tools need to be easy to use and have good training and support documentation
- Tools need to support scalability and growing demand for APIs
- Strong single sign on and SSL support are crucial in maintaining security
- The tools should provide functionality for publishing and consuming APIs
Kong API manament tool
- One of the best open source API gateway
- Good for startups, small, medium, and large sized businesses
- Delivery can be as a proxy solution
- Enterprise pricing plans are available as wella s a free evalution plan
3scale API management tool
- Provides a strong developer portal
- Good for startup, small,medium and large sized businesses
- Delivery can be as a proxy, agent and hybrid solution
- Professional and enterprise pricing plans are available
Apigee api management ool
>best tool for monetization of API
Good for small and medium sized business
Delivery can be as a proxy, agent or hybrid solution
Professional and enterprise pricing plans are available as well as free evalution plan
Akana
- Has strong life cycle management tool
- Good for large enterprise sized businesses
- Delivery can be as proxy, agent or hybrid solution
- Proessional and enterprise pricing plan
API monitring tools
- Both open source and commercial api montiorning tools are available
- Endpoints can be monitored for uptime, availability , response time, performance and other variables
- Provide functionality for logging, visualization and time series data
Time series data gadgets
Assertible api management tools
Alertsite api monitoring tool- support mobile and saas application
Open source tools- Prometheus is time series monitoring tool, graphite is push based monitoring tool, influxDB is part of large tick stack
API Metrics stakeholders
- The infrastructure teams needs metrics to ensure the API services are running correctly
- Development teams need metrics to ensure the apis are running quickly and bug free
- Sales and marketing need to ensure the customers needs are being met with the apis features
- Product management needs to balance creating new apis with maintaining existing apis, while ensuring all stakeholders are satisfied
Infrastructure API metrics
- Uptime is one of the key metrics for measuring service available
- CPU usage can indicate high demand or API performance issue
- Memory usuage can help determine if memory needs to be increased or decreased
Development API metrics
- Requests per minutes can be used by development to help make API more efficient
- Average and max latency indicate to the developers and infrastructure team that there is something slowing down the api services
- Errors per minute indicates that there is an issue with api having bugs or that is being called with incorrect parameters
Business API metrics
- Unique api consumers is used by product managers to determine number of customers using the APIs
- API usuage is important for product managers to determine demand for existing apis
- Top customers by api usage tells the business who they should work with to develop new api services
- Api retention allows the business to determine if more funding should be spent on development or growth
- Time to first hellow world determines the effectiveness of the documentation, tutorials and marketing efforts
- Api calls per business transaction indicates the effectiveness and efficiency of your endpoints
SOAP UI API testing
- Can be used for testing SOAP and restful web services
- Can be used for functional, performance, security interoperability and regression testing
- Can be used for creating virtual services that be used for test driven development
- 2 error- 400 client something wrong, 500 api something wrong
SOAP UI Rest API testing
- Create, read, update and delete
- Get requests can be used to read or retrieve data
- Post requests can be used to add new data
- Put requests can be used to update existing data
- Delete requests can be used to remove data
SOAP UI SOAP API testing
- WSDLs can be imported and default requests can be auto generated
- Supports common standards such as ws-security, ws-addressing, ws-reliabile messaging, and MTOM
- WS-I compatibility testing permits validating both contracts and methods
- Mock services can be created from WSDLs to simulate simple and complex user behavior
SOAPUI performance testing
- Baseline testing examines the system under normal load, which can be compared with other tests
- Load testing involves increasing the load to test how the system performs
- Stress testing involves increasing the load until the system stops working
- Soak testing includes running baseline or load testing over a period of time
- Scalability testing involves testing the system to ensure it scales as expected
SOAPUI API security testing and options
- Performs common security tests such as SQL injection attacks and XML bombs
- The empty option creates a test with no pre-configured security scans
- The automatic option creates a default set of security scans
- The full control option allows you to select security scans for your tests
SOAPUI automated testing
- Create REST project> enter URL and click ok
- Get resource appear as request1
- Top window- method> get and endpoint and run the request
- Right side shows response with XML, html, JSON
- Right click on request one >add testcase> enter testsuite name>click ok>enter test case name> enter request name and click ok
- Click on assertion tab in bottom of window > click + sign>JSON path expression
- On project url> right click add resource> post
- Same steps to add test case
