Author

How do you govern a sprawling, disparate API portfolio?

feature
Sep 23, 202419 mins
APIsCloud ComputingDevops

The API revolution wasn’t televised. Now, enterprises must figure out how to weave together a patchwork of API styles, standards, and gateways.

Many colorful doors in a room. Concept of choice. Green, yellow, orange, red, and pink doors on a brushed silver foreground and painted bright blue and white cloud background.
Credit: New Africa / Shutterstock

We continue to see a significant increase in API development year after year. A 2022 report conducted by 451 Research found that the average organization has 15,564 APIs in use, with a growth rate of 201% over a single year. Cloudflare has reported that more than 50% of the traffic it processes is API-based. A variety of trends are driving explosive growth in the number of APIs enterprises use, yet these integration points are often quite varied and ungoverned.

“APIs are integral to how consumers and businesses access services and data on the web,” says Marco Palladino, CTO and co-founder at Kong, who notes their crucial role in emerging areas such as generative AI, web3, and blockchain. “Despite their significance, few are aware of the importance of APIs in IT or the global economy, as this has largely been a silent revolution.”

Most enterprises face a widening API portfolio with an increasing number of API design styles and standards. “Almost all organizations are doing this,” says Brian Otten, VP of digital transformation catalysts at Axway. “I recently talked to a large food retailer that wants to see REST APIs alongside event-based resources and GraphQL,” Otten says.

In addition to the patchwork of API styles, most companies use multiple API gateways or management tools simultaneously. “We are at a point where organizations who already have API management solutions are buying API management solutions,” says Mark O’Neill, VP analyst at Gartner. O’Neill notes that in some cases, this is to replace the current platform, but in many situations, it’s cumulative.

In this multi-paradigm world, API governance is emerging as a key element for bridging disparate styles and avoiding the pains of a sprawling technical portfolio. According to API industry experts, governance will require a greater emphasis on documentation, centralizing common patterns across the organization, consolidating tools, and building internal platforms that improve the developer experience.

Key technology trends influencing API adoption

APIs are increasingly at the heart of many software development trends. One central area is large-scale digital modernization efforts. “The general modernization of web apps in large organizations has been a big driver over the last few years,” says Jacob Ideskog, CTO at Curity. “Startups and fast movers have been on this train for longer, but larger organizations have finally made the shift, which has pushed API adoption in general.”

For instance, modern mobile development relies heavily on APIs in the back end to facilitate machine-to-machine communication. “Every mobile app is, in effect, just a front end to a back-end service in the cloud, communicating back and forth over APIs,” says Jeremy Snyder, CEO of FireTail. He also credits the use of cloud-based storage and database-as-a-service offerings as contributors to API-centric development.

Another area influencing API growth is compliance. For instance, open banking regulations worldwide have pushed banks to create or open APIs. “This is often the first time many of the banks have provided public-facing APIs,” says Ideskog. Impressively, the open banking tracker now catalogs more than 500 open banking APIs.

And it’s not just finance — interoperability requirements extend to all enterprises. “In recent years, an increase in enterprise API adoption has been seen due to interoperability needs between enterprises and their partners and customers,” says James Higginbotham, executive API consultant at LaunchAny. Software reuse also is a motivator for internal API adoption, Higginbotham says.

APIs also are aiding the development of AI applications. “APIs play a crucial role by providing accurate data to LLMs [large language models], enabling more precise responses from AI systems,” says Anurag Shukla, head of product design at APIwiz. Web APIs not only are an integral component behind the scenes of the recent generative AI wave but have fueled low-code and no-code development for years.

Other experts cite additional areas contributing to more API reliance, such as platform engineering, composable architecture, microservice architecture, single-page applications, OAuth-based security systems, third-party SaaS application integration, hybrid multicloud strategies, and more. In short, APIs are pervasive across enterprise software development trends.

“APIs are becoming a utility-like foundational layer for all other digital interfaces,” says Kristof Van Tomme, CEO and co-founder of Pronovix, who likens APIs to the electricity that drives power tools. And with the dawn of AI-generated content, Van Tomme says programmatic ways to consume information are destined to increase, bringing more API adoption.

Most organizations use a variety of API styles

The REST API style is still widely used for internal or external-facing APIs, mainly because HTTP standards are well-known and many tools suit this paradigm. Yet, modern enterprises now adopt a diverse array of API design standards, ranging from SOAP to REST, GraphQL, gRPC, event-driven architectures, and beyond. LaunchAny’s Higginbotham is seeing movement toward gRPC for high-performance service-to-service communication and an uptick in GraphQL to enhance development velocity. Curity’s Ideskog also sees increasing use of GraphQL. “It seems to have found its place in the design pattern landscape for when it’s useful and when it’s not,” Ideskog says.

“It’s common for organizations to adopt multiple API design styles and standards to cater to different domains,” says Asanka Abeysinghe, CTO at WSO2. This is because different problem spaces often require unique approaches. Plus, an organization may deploy domain-specific APIs for areas like finance, healthcare, or logistics, Abeysinghe says.

Leveraging various fit-for-purpose API styles might make sense from a functional perspective, and could indicate that more pockets of the organizations are beginning to collaborate. Also, empowering developers to choose their tools benefits the overall developer experience. As Michaela Halliwell, product manager, API and data, at HCSS, shares, “In my organization, this is driven by the autonomy of our teams for their specific product use cases as well as the preference and expertise of the developers.”

On the other hand, a fractured API landscape is not always intentional. Matt Voget, director of technology at Ambassador Labs, says fragmentation can easily occur when organizations shift to microservices without aligning different teams on an organizational standard. “One microservice for managing user accounts might be backed by a GraphQL API while another that manages payments might be using OpenAPI with REST,” Voget says.

Operationally, this could lead to wasted efforts. “In larger organizations, it’s not uncommon to see that the same use case has been solved by two different development teams, in two separate business units, using two different API standards,” says FireTail’s Snyder.

Lately, the increase in the use of multiple styles can also be attributed to non-existent standards for API governance. “There is a lack of efficient standardization across API programs within enterprises,” says Adeeb Tahir, director of sales engineering at APIwiz. “This is largely due to teams working in silos and not having adequate visibility into each other,” Tahir says. An all-too-common result is inconsistent documentation that often doesn’t match production behaviors.

Many companies juggle multiple API gateways

Not only is internal API style typically varied, but organizations often use a variety of tools to manage APIs. “It’s not uncommon for organizations to utilize multiple API gateways or API management solutions concurrently,” says WSO2’s Abeysinghe. He says one reason for this is parallel procurement occurring across the business. Often, different business units will select preferred solutions for their specific requirements or to support various stages of the API life cycle.

Additionally, an organization may find itself evolving its architecture over time, looping in various tools to maintain legacy APIs, support new microservices features, or route ingress traffic, says Voget of Ambassador Labs. “API gateways are tough components to swap out, so it’s likely that whatever technology was chosen at the time will be unlikely to change,” Voget says. This makes API solutions tricky to replace after mergers and acquisitions.

Various parts of a typical enterprise are at different stages of their cloud journeys or are multicloud, further influencing different API management needs. As Curity’s Ideskog explains, “Some organizations are in migration journeys, moving to Kubernetes but have not yet completed the move, thus forcing multiple gateways to be present.” Furthermore, legacy instances often require legacy gateway solutions. “At my organization, it’s due to hybrid environments that use different gateways tailored to specific on-prem infrastructure,” says HCSS’s Halliwell.

Another reason behind the multi-gateway condition is security and compliance. For instance, Higginbotham at LaunchAny has seen the same organization apply different API gateway instances to separate internal, partner, and customer-facing API client network traffic. “These multiple API gateway instances reduce cascading failures that could impact operations at different levels, while reducing the time and resources required to conduct regulatory audits,” Higginbotham says.

Put simply, when you have many teams building APIs, the odds are you’ll have multiple API management solutions in play. “This can be acceptable if there’s a good level of centralized documentation and visibility for both other developers and security teams,” says FireTail’s Snyder. “But it can also pose a challenge.”

How to govern a varied API landscape

Many executives believe governance is necessary to avoid technology sprawl. API governance aims to bring more structure to the ill-defined and varied world of APIs. The concept spans documentation, design standards, security policies, modern gateways and legacy management solutions, engineering leadership, and beyond.

“Effective API portfolio management involves implementing governance for each iteration, using an API gateway to govern all services,” says Kong’s Palladino. Palladino views automation as pivotal in enforcing standards around authentication, authorization, network reliability, and failover.

That said, API governance is more than just a single tool — it’s an overarching strategy. “There are essentially no tools that can solve all the necessary use cases around inventory, life-cycle management, and governance out-of-the-box,” says FireTail’s Snyder. As such, Snyder recommends prioritizing needs above specific tools when developing an API governance strategy.

So, what are those needs? The API experts I spoke with for this story laid out many tips to consider when embarking on an API governance initiative, particularly when dealing with an API inventory containing a hodgepodge of API styles and standards.

Document and unify your API catalog

First discover and document all of your services. If possible, adopt a specification-first approach. “Impose a process where all of your disparate APIs are described in specification files,” says Ambassador Labs’s Voget. Proper machine-readable API descriptions, like OpenAPI definitions, can aid discoverability and be used for style guides, linting, and contract testing, he says.

It’s important to have a central place to view and manage definitions. Some call this an API inventory or catalog. “Cleanly separate the product portfolio from technical issues,” says Erik Wilde, principal consultant at INNOQ. Wilde recommends following what Gartner calls federated API management, which establishes a single control plane and governance layer over disparate API gateways and management tools. Ultimately, the goal is to create a unified catalog to promote enterprise-wide use of standard infrastructure components and gateway patterns.

Consolidate various API gateways

Get a better handle on API gateways and management tools and their usage patterns. “Firstly, you must connect all the siloed API gateways and collect the existing APIs,” says Allan Knabe, CEO and co-founder of Apiable. “Secondly, you need to catalog these and attribute ownership so you can see who is responsible for what.”

API management tools have proliferated within most enterprises. As such, consolidating API gateways with a single control plane could improve consistency and standardize internal practices, says WSO2’s Abeysinghe. Gartner’s O’Neill agrees that many organizations desire “a single control plane for working with multiple different API gateways from different vendors.” Yet, the concept has limited support in the market, says O’Neill.

Nevertheless, there are effective ways to promote discovery and reusability across gateways. “At least have a unified developer portal that allows for federated API management so that APIs from different teams can be composed and reused across the organization,” says Pronovix’s Van Tomme. Building a single view could also help you monitor traffic across APIs.

Centralize design and security patterns

A centralized governance framework spans many areas of the API life cycle and hinges on clear organizational standards led by an internal center of API enablement. “Start by defining your API standards and building a centralized framework for enforcing and making decisions,” says HCSS’s Halliwell. “This could be a group of tech leads or a specific team that oversees the governance.”

API governance should loop in legacy services but ideally is embedded into design-first processes for greenfield development. “The only way to elevate API program maturity is to adopt a systematic governance framework across the design-time, build-time, and runtime phases,” says APIwiz’s Tahir. “This means organizations follow an API define- and design-first approach requiring the API strategy to be outlined well before design and implementation,” Tahir says.

An API governance framework must also consider security. Top of mind for Curity’s Ideskog is establishing a clean identity layer, focusing on a unified customer identifier and a well-defined set of privileges for API requests. “This enables better authorization, which in turn means better visibility of what is used and who can access it,” he says. In addition to access control, others recommend enforcing linting for API standards, leveraging monitoring and analytics tools, and applying rate limiting to protect infrastructure.

Don’t forget the developer experience

API governance teams should establish feedback mechanisms and advocate for the developer consumer. “This means guiding API design teams through an outcome-based design process to ensure they think about solutions and empathize with the API consumer to select the best-fit API design style,” says LaunchAny’s Higginbotham. For instance, helping designers differentiate industry standards versus vendor-based standards can help streamline their decision-making, he says.

A positive developer experience also includes automation when possible, both to discover APIs and to enforce governance rules. “Unless there is a tightly controlled release process, the best practice is to use automated tools to collect data about the APIs, as well as the right configuration data needed for that use case,” says FireTail’s Snyder. “Enable API providers to consistently govern APIs as part of how they operate with automation in the CI/CD pipeline,” adds Axway’s Otten.

Benefits of effective API governance

API governance can provide many positive outcomes for disparate API portfolios. “Effective API governance offers several benefits, including ensuring consistency and standardization across APIs, promoting reusability and interoperability, and enhancing security and compliance measures,” says WSO2’s Abeysinghe. By making API design and implementation a more consistent and collaborative process across an organization, you can reduce complexity and integration challenges, he says.

Improved compliance and security

Most notable is the impact of API governance on compliance and security. “Effective API governance ensures secure, reliable, and scalable digital services, supporting business goals and regulatory compliance,” says Kong’s Palladino. Governance is necessary to ensure that all APIs adhere to strict standards, that they’re protected against vulnerabilities, and that they meet regulations like GDPR and HIPAA.

With a proper API governance foundation, you can avoid shadow IT, says Ideskog. “If you don’t provide a clean structure for how to publish an API and what identity data the API can access, different teams will invent their own solutions, introducing new systems to a platform that may already have the capability,” he says.

To Ideskog’s point, ill-defined access control policies are the bane of many API initiatives. Broken authentication and authorization rank high on OWASP’s list of the top 10 API risks. Governance that addresses these areas helps keep pace with attackers, who are increasingly turning to APIs. “APIs are often entry points to sensitive data and systems,” says APIwiz’s Tahir. “Incidents like the most recent data breaches at T-Mobile and at Dell show us that malicious actors are always watching.”

Avoiding wasted efforts

In addition to addressing security and regulatory needs, well-governed APIs can bring more coherence across a digital landscape, says INNOQ’s Wilde. Ungoverned APIs can result in “wasted resources,” he says, “because the same problems get solved numerous times instead of establishing a good practice in a platform.” With proper API governance, you can eliminate duplicative efforts and reduce the time to find APIs for projects. “Very often, an API for what you’re trying to implement already exists,” says Snyder. “With good governance, you’ll probably have access to an inventory that will help you find it.”

“In most cases, efforts are underway to reduce the proliferation to unify and simplify processes while reducing licensing and maintenance costs,” adds Higginbotham. Others cite benefits such as faster software delivery, reduced licensing and maintenance costs, easier monitoring of business effectiveness, better monetization potential, and a leaner outcome overall.

More consistent API designs

API governance can also promote more consistent internal design standards. “Solid governance ensures that APIs are consistent and use predictable patterns, making it easy for APIs to work with each other and with external interfaces,” says Voget. API style guides, linting rules, and contract tests can help decrease defects or spot missing security schemes, he says. “Without this kind of governance, it’s very possible that these details may be neglected, leading to serious risks.”

Setting these standards and automating design reviews and checks when possible greatly aid the API design process. These measures also can reduce repetitive tasks in the API life cycle and inform future development. “Effective API governance results in default decisions made easy for teams when embarking on the design and delivery of a new or updated API,” says Higginbotham. “It also helps the organization capture lessons learned from past efforts.”

Better collaboration and business alignment

Lastly, having an API governance framework in place improves collaboration with other stakeholders — whether internal or external consumers. “API governance makes sure everyone is rowing in the same direction,” says Halliwell. “Providing consistent and well-documented APIs improves their experience and gives your API the reputation of being easy to work with,” she says.

Internal knowledge sharing can reduce inefficiencies and avoid hacky workarounds. It can also help increase API awareness for business stakeholders. “The primary benefit we’re seeing is at a business level, where business managers can understand what APIs are available and which team is managing them,” says Apiable’s Knabe. “If the APIs exist in silos with little or no governance, then developers are often required in business meetings to explain what is possible and what is not,” he says.

API governance futures

The API landscape varies widely among enterprises, and most efforts to centralize governance are still in progress. “As API portfolios grow, the need for API governance becomes more necessary,” says Higginbotham. “The adoption of microservices, serverless functions, and SPAs [single-page applications] over the last decade have only caused the enterprise API portfolio to multiply in size,” he says.

Looking to the future, others forecast a world with more industry-wide API standards. “I see a stronger push toward adopting standard protocols like OAuth, GraphQL, OpenAPI, and AsyncAPI,” says Halliwell. She also believes AI will play a significant role in grading API designs and driving automation, such as ​​predictive analytics and automated compliance, that will significantly reduce manual governance efforts.

At the same time, the rush to integrate AI capabilities could exacerbate an already-swelled API catalog. “Generative AI will act as yet another API portfolio multiplier,” says Higginbotham. “The challenge is whether the API economy will place value in establishing the people, processes, and tools necessary to address the API sprawl we are seeing today.“

The emerging platform engineering discipline may help answer this call. We will also likely see more unified catalogs emerge that are discrete from preexisting tools. “Organizations should start with the enforcement of discoverability and findability,” says Pronovix’s Van Tomme. “An API registry for security and management purposes can be distinct from that developer portal.”

Others see security requirements playing a larger role in the future of API governance. “I think governance will be looked at from the authorization perspective over the coming years,” says Ideskog. “Better tools for authorization will enable stronger governance and will be the big driver for the governance side of the API economy,” he says.

To that point, industry-driven security regulations are anticipated to encourage more API governance practices across the board. “I strongly believe that the increasing external regulations such as open banking and healthcare standards, coupled with growing apprehensions regarding AI data security, will drive organizations to prioritize stringent governance in their API initiatives,” says APIwiz’s Shukla.

Yet, because the needs of API governance cannot be addressed with one single tool, organizations will also require a cultural shift. For some groups, this means tasking the right leader to head up API standards. “The simple fact that an API product manager exists who takes care that the APIs are correct and up-to-date works wonders if implemented correctly,” says Apiable’s Knabe.

In short, API governance calls for a multifaceted approach to the visibility and control of organization-wide use of APIs that must answer a multifaceted technical dilemma. “Whether you call it governance, standardization, or having a platform strategy… it will only become more important to the API economy as APIs proliferate and our need for composable, flexible, microservice architectures increases,” says Voget.

Author

Bill is a tech journalist specializing in state-of-the-art technologies in the enterprise cloud software space. He is also Editor in Chief for Nordic APIs, a knowledge center for API practitioners, and contributes to DevOps.com, Cloud Native Now (formerly Container Journal), and Acceleration Economy.

More from this author