Posted by Jean-Jacques Dubray on Jun 13, 2011

Web APIs are rapidly becoming a key differentiator for many companies who wish to expose their (physical) services as a software. Companies like Google, Twitter or Facebook have helped popularize this new way to integrate with a company’s activities. However, exposing an API for developers to write applications that consume and possibly update enterprise data cannot happen without tracking which application (i.e. developer) and often which end-user is doing what. This is why for instance new protocols such as OAuth have been designed to be layered on top of HTTP to enabled for a 3-legged scenario. In any case it becomes essential to be able to authenticate which application is accessing what and what rights either the end user or the enterprise has given to that application. This is why we see more and more Web API providers issue developer keys: it is not just about enforcing these rules or metering usage, it is also about managing the entire ecosystem.

Layer 7 Technologies has released last week a portal that support the management processes of APIs and the integration of these access rules with their SOA Gateway. The portal helps a company expose APIs that can be consumed by any 3rd party developer. Dana Crane, product manager at Layer 7 explains :

This growing API-driven economy presents significant new security issues, business opportunities and management challenges for enterprises and service providers.

For instance, France Telecom has published a case study where some developers in Senegal provided a phone interface to Facebook: Kisaitoo. Using FT’s API, an end user make a phone call to a system, which record a question, that question is then posted to facebook, when people answer, the application sends an send to SMS to the original end-user. Savvis is another customer is using Layer 7 solution to enable their F500 customers provision Cloud based resources programmatically.

The API portal allows for defining different developer packages (bronze, silver and gold) and supports API invocation Rate Limiting rules which are enforced by the gateway.

Phil Walston, vice president of products at Layer 7 Technologies added:

The API Portal provides real-time insight into how APIs are being used, coupled with enterprise-grade security controls and automation tools that make managing developer accounts and API keys simple.

The API portal can be deployed on premise. The portal offers a number of reporting options for the developers as well as the API providers. It also supports the concept of different API versions.

Layer 7 claims that, when deployed in conjunction with their API gateway, it is capable of handling up to 25 billion transactions per month on a single API proxy, numbers that seemed inimaginable just a couple of years ago.

Are you considering exposing Web APIs to facilitate the development of applications by 3rd party developers? How are you dealing today with the developer management processes, policy enforcement and reporting?