What is API Management and What are the different phases in API Lifecycle?
These days APIs demand is very high due to usage in new business models, application development trends, and the urgency of modernization resulting in API being treated as a first-class citizen. To ensure API standardization, API Management is one of the key aspects which helps in managing the API Lifecycle and ensures that public and private APIs are consumable, secure, and managed.
There are multiple package solutions available for full API Lifecycle management and among them top leaders are Google (Apigee), MuleSoft, IBM, Axway, Kong. See the full Gartner report for 2021.
For any API Management, below are the key steps to manage API lifecycle and in order for it to be successful, it needs to be overseen using strong API governance.
Design — After identifying the business requirements by using various means like Event Storming, Domain Driven Design, business process map, the API architects create the API design using REST principles and produce logical data model, logic services, resource naming, request- response properties and API grouping.
API Specs — Once API Design is complete, then in this phase Architect / Tech Lead design API specifications using technologies like Swagger, RAML. Based on my experience, many teams keep this phase as optional or sometimes it can be combined with design phase. From my perspective, there is a merit in keeping this phase as separate, it really helps in designing specifications at detailed level like API resources, HTTP methods, Handling of response code and if this phase is done in right manner, then it makes developers life easy. Otherwise, there is potential for rework and can impact project timelines negatively. Additionally, it is also helpful for API documentation which can be utilized by consumers and assist in bringing new team members up to speed quickly.
Develop — This phase is mainly for developers who can develop API using the programming language of their choice or recommended by organization. In this phase, APIs are developed as per the API Specs and also developers are responsible for activities like building the code quality by writing test cases meeting defined threshold, code reviews, static and dynamic security scans, mutation testing etc.
Secure — In this phase, typical security standards are discussed and implemented. Some of the parameters for Secure Phase are like who can access the API, how authentication and authorization is managed, how consumer access the API (Basic Auth, OAuth2, OIDC, SSO etc.), CORS, IP whitelisting. Additionally, based on API type (Internal / External) and where it is hosted required security needs should be implemented.
Deploy — In this phase API is deployed into respective target environment using automated DevSecOps CI/CD pipeline. API must pass all the phases like code build, test cases, automated test cases, scans and then only should be deployed in target host whether it’s on-premises or cloud. Many companies follow the approach where Pipeline detects the code changes using webhooks and auto-deploy changes in the required environment, it all depends upon the maturity of the DevSecOps process.
Test — Here testing team comes into the picture, they are responsible to run all kinds of testing like automated, manual, performance etc. After successful testing, APIs are certified to be published.
Publish — This phase is responsible for API catalog; APIs are published in Developer portal for consumption. Different portals like API catalog or API marketplace can be made available based on the internal or external consumers. There are many tools available like Akana, Anypoint, Apigee to support this. Don’t forget to keep API versioning aspect in mind when publishing API.
Monitor — In general, monitor phase overlaps with multiple phases like Publish, Deploy. API monitoring can be done during deployment phase where interested parties can inject developer productivity monitoring tools like Hygiea, Grafana. We can also monitor APIs performance, test results during CI/CD pipelines. But the main intent of monitor phase is to capture telematics and observability data to measure APIs availability, traffic, usage, trends etc. by integrating with industry tools like Splunk, Elastic Search, DataDog.
Manage — By this phase, our APIs are now available for consumption, but we are not always developing new APIs only, there are often need to enhance and maintain based on the new requirements. Additionally, in this phase, we also need to keep in mind to retire the unused APIs.
Discover — This is the important step in the API lifecycle. It helps stakeholders like Enterprise Architect to discover available APIs in the ecosystem.
Other than API management, it is equally important to have API governance, it helps to enable consistency across the APIs.
I hope this article helped to understand API lifecycle stages in a clear and easy-to-understand manner. The key part is that we need realize — we have these many provide stages in API Lifecyle and can be considered as blueprint for managing any API. At last, I would say managing API Lifecycle is not one person job but there are specific roles who takes part in different stages like API Architect, Developer, SRE, Operations Team, DevOps, Tester, Security.
