When developing APIs for your business, it’s critical to adhere to key API design and security standards, as well as a clearly defined structure and method of governance. At Rubicon Red, these standards are kept at the forefront of our processes to ensure that your API-driven solution is easily adopted, well-maintained and consistent with your businesses’ processes and systems.
However, it’s important to note that while following API standards is an important part of the process, this by itself, is not enough. We pride ourselves on having the ability to truly understand your business goals and processes and proficiently adapt the API standards framework to every unique aspect of your business and apply them successfully.
In this blog, we’ll cover the basic outline of the API standards framework and summarise API governance and its role in API adoption. But most importantly, we'll unpack the Rubicon Red process of applying the standards frameworks in the context of your organisational ecosystem and how this is key to helping achieve organisational-wide, ongoing success in delivering API-driven solutions that your business and customers will love.
What are API Standards?
API standards are rules and regulations to be used as a guideline for the design and development of any modern Web API. Note that we have refrained from using terminology such as REST since modern Web APIs are not necessarily always RESTful in nature. The standards have two primary functions:
- Ensure APIs are easy to adopt, consume, maintain and extend. Improve developer productivity by providing a standard to be utilised consistently across every project and system.
- Fast track on-boarding for new developers by reducing the learning curve associated with API design and implementation through a consistently applied standard.
Of course, as a result of universal design standards, the overall quality of APIs, as well as the general literacy around API integrations, are maintained at a high standard by following best practices.
Before we start with the standards though, it is important to firstly establish a clear understanding of the broader components of an API-based solution architecture. A common frame of reference ensures APIs are designed to expose business functionality securely in a consistent manner, that is consumable by internal and external entities. Further, a clear API taxonomy determines, to some extent, the specific standards that should be applied in a more contextualised manner. The three key API classifications or layers are:
- System APIs: System APIs are low level APIs that usually act as a thin wrapper around source systems. System APIs enables key business functionality for access in a managed, secure and consistent manner. For System APIs, the design standards are recommended, as this will assist in developing the Business or Consumer level APIs, if they are required in future.
- Business APIs: Business APIs are more focused on higher-value, system-agnostic business functionality. These APIs truly realise holistic business processes, which may span across multiple systems. They can be composed and recomposed in different ways to generate higher order business value. For Business APIs, the design standards must be applied, as a Business level API will almost always be tailored for re-usability.
- Consumer APIs: Consumer APIs are APIs designed specifically for consumers in cases where they cannot directly consume existing business or system layer APIs. For Consumer APIs, the design standards may be applied, but this is usually driven by what the consumer can or cannot support.
At Rubicon Red we adhere to a comprehensive set of API standards including:
- Naming Conventions - Resources, Message Formats, URI Components
- API Versioning - URI Versioning, End of Life Policy
- API Requests - Headers and Methods
- API Responses - Headers and Methods
- Error Handling - Error Response Payload, Error Codes, Request Validation
- API Security - Transport, Permissions (Authentication and Authorisation), Analysis, Management
An important aspect of best practices for APIs is around comprehensive API testing. This includes the 5-level approach to API testing:
- Contract Testing
- Scenario Testing
- Performance Testing
- Security Testing
- Omni channel Testing
Rubicon Red has a comprehensive set of guidelines associated with each of these standards. Read our API Best Practices White Paper for an introduction to some of our guidelines.
What is API Governance?
API governance is a series of guidelines and methodologies to achieve consistency, standardisation and maturity in an organisation's API program. Governance is put in place to ensure that well-defined structures and methods are established, that shall result in the right things happening with ease and making it hard to include any deviations.
API governance helps save time and money because it enables consistency across APIs, allows components to be reused, and ensures that APIs are built proactively to achieve specific goals and bring value to the business. API governance also helps companies make intelligent decisions regarding API programs and establish best practices for building, deploying, and consuming APIs. - Best Practices in API Governance, Swagger
Governance is a key element of an organisation's API development process, however governance cannot be established in isolation - it must always be approached within the broader context of the business.
At Rubicon Red, we believe a comprehensive solid API Governance process is critical to set the foundation for establishing and executing an API program within the context of the business.
Important API governance considerations include:
- API Platform Tools and Management Platform
- API Ownership
- Templates and Style Guides
- Publishing and Discovery
- DevOps and Automation
- API Security Governance
- Key Performance Indicators (KPI’s) and Reports
If you are looking for help getting started on your API journey or want a quick API health check, schedule a call to discuss how we can help. As part of our Advisory Services we can provide our comprehensive API Standards and API Governance documentation to support broader enablement of your teams.
Understanding your Organisational Ecosystem
Having a strong understanding of API standards and governance is a good starting point for a robust API build, however in order to apply the standards and governance to create high quality, re-usable APIs, you’ll need to apply the API standards in the context of your organisational ecosystem.
At Rubicon Red, our processes are focused on ensuring that the API standards and best practices are easily integrated and fully embedded into your business to get the most out of your API investments. Here’s an outline of some of the key considerations to give insight into how we achieve this.
Our Delivery Methodology Begins Where You’re At
When organisations come to Rubicon Red seeking an API-based architecture or API-driven solution, we look to help them based on their unique requirements. Typically we see three common entry points from organisations on their API journey's looking for our help and guidance.
- The customer has a clear vision and an already established or pre-selected platform, and are looking for help to implement their API vision using best practice.
- The customer had a clear plan, but they’re finding they are not getting the value they anticipated. In this case, they want an API health check to help them get back on track and assistance in helping them resolve issues.
- The customer is completely fresh to APIs and has no clear plan or vision. In this instance, they’re after holistic help to to form and implement a strategy. This means aligning an organisation to be successful, gaining an understanding of company structure, where funding is coming from and defining metrics for measuring value gained from your API solution.
Our delivery methodology in tandem with our API standards and governance framework means we can help customers wherever they are on their API journey. There are four key things to take into consideration from an organisational perspective:
- Establish a culture of collaboration
- Continue support through the API lifecycle
- Align with your organisations security
- Implement the right tools to enforce standards
Establish a Culture of Collaboration
The first place to begin, is by designing a culture of collaboration within your organisation. The more siloed your organisation is, the more difficult it is to get value out of an API program.
So what does a successful culture of collaboration look like?
- Executive support and established funding models
Executive support is critical to a successful API program. Having executive commitment and well established funding models (how will initiatives get funded) really drives wide-spread use and broad adoption of APIs to ensure sustained commitment to API programs that deliver value broadly and over-time.
Without executive commitment and well established models for funding shared API projects, future projects might encounter resistance due to lack of ongoing budgets. To combat this problem, an organisational process that incentivises or enforces reuse with a forward-thinking mindset is key when establishing your API program.
- Identifying key stakeholders
Before an API is published, the API needs to go through many rounds of reviews with key stakeholders in a company before it is approved. If the organisation doesn’t already have a structure that supports collaboration, often this process can become tedious as approvals become bottle-necked with certain ‘gatekeepers’.
From the beginning of the development process, it’s important to identify the key players who will be performing these reviews and ensure that they’re all on the same page to streamline the process.
- Identifying API project champions
In a similar vein, it’s key to identify API champions who understand the goals of the project and can communicate these to the wider business and support on-going change and drive re-use across teams. API Champions know how an API is being implemented and make sure it is documented and published (perhaps as part of a Centre of Enablement). These key individuals drive support and alignment across all stakeholders to ensure sustained use and ROI.
Continue support throughout the API Lifecycle
By their very nature, APIs are a long term investment and won't necessarily bring value on day one. To have a successful project, you need to release it, socialise it and apply every strategy that you would for a home-grown product. As your APIs and your organisation's needs evolve, you should ideally be able to enhance your APIs with additional features based on new projects and new requirements.
Once a project is delivered, it’s not a set and forget process to simply leave your APIs running. Ideally, we advocate a delivery model where there is a product team behind every key API that owns the API(s) throughout the life cycle. That means there is an established team, supported by an API champion, that manages the API throughout it's lifecycle, and can assess and and deliver requirements going forward to address the broader needs of the organisation as it looks to re-use APIs going forward, and thereby derive maximal use from API consumption.
Organisations who treat APIs in this way, as first-class products, and use a product-centric delivery methodology by adopting Agile and DevOps practices, are most successful.
Align with your organisations security
More often than not, we find that most large organisations have a security team with specific security standards set in place. In this sense, APIs are just another asset, therefore they must be governed by the same corporate IT standards that the organisation operates by.
These security measures may include:
- On-boarding and off-boarding processes
- Tiered rate limiting
- Intrusion detection
- Authentication and Authorization
Implement the right tools to enforce the standards
Having a comprehensive set of standards in place is one thing, but without equipping the team with the right set of tools makes it difficult to implement the standards and monitor usage. You'll need tools to help you find, release, secure and monitor your APIs:
- Catalog and discover and document all your APIs
- DevOps to release and manage the release cycles
- Good ways to implement and enforce security, for example API gateways to enforce policies
- Strong monitoring capabilities so you can monitor usage, how often, who is using them, and uncover out how well they are doing both from a technical performance as well as adoption
It’s About the Organisation, as Much as it’s About the Standards and Governance
Having a comprehensive and robust set of API standards and a governance framework is essential to establish good API practices, but at the end of the day, they’re a framework that must be used in alignment with your organisation. Rubicon Red specialises in coaching businesses to apply the best practice framework to your own organisational ecosystem to help you get the most out of your API investments so you can rapidly deliver API-driven solutions cost effectively, with minimal fuss, that your business and your customers will love.
In summary, this means supporting an API standards and governance framework with;
- A culture of collaboration, including executive support, funding models and API champions
- Ongoing support through the API lifecycle
- Alignment with your organisations security
- Implementing the right tools to enforce standards
Want to know more about API best practices?
Whatever stage you are at on your API journey, we make it easy for you to be successful - no fuss or hassle, we just get on with it. Book your FREE consultation with one of our API experts now!