Governance

APIs need to be managed and governed just like any other resource, otherwise organisations risk losing track of their API estate and becoming unaware of potentially vulnerable APIs running within their infrastructure. This risk is magnified as the number of teams, environments and APIs increases. Use API management as part of overarching business processes to control how APIs are accessed, managed and deployed.

Restrict Version Availability: Enforce the expiry of API versions that are planned for deprecation, by setting a sunset date, beyond which they will not be accessible.

Enforce Key Expiry: In many situations it’s best to issue API keys that have a short, finite lifetime, especially when serving anonymous, external consumers. Set expiry dates for API keys, or use ephemeral credentials with complementary authentication techniques that support key renewal, such as OAuth 2.0 refresh tokens and dynamic client registration. Then, should an API key fall into the wrong hands, there’s a chance that it has already expired.

Use Standardised Specifications: Use the OpenAPI Specification standard to design APIs. These specification documents act as a source of truth that can generate API configuration and portal documentation.

Understand API Usage: Use API analytics to report on usage. This captured data generates useful, actionable insights across a variety of metrics, such as API popularity, performance and trends.

Control API Distribution: Use sharding to control availability of APIs across multi-gateway, multi-environment deployments. This ensures that specific APIs are only available through specific gateways, which helps to prevent undesirable situations, such as internal APIs being published to externally accessible gateways, or test API configurations reaching the production environment.