Why API Management Must Consider the Entire API Journey

Discussions about API-first strategy typically center around APIs created internally or externalized as products. This makes sense, as today's development paradigm of microservices architecture relies heavily on APIs. Developer portals and gateways for exposing these APIs to external users are well-established. However, most API management practices overlook a crucial aspect: third-party API consumption.

‍

The fact is that developers are both creating and consuming a ton of APIs. Many modern applications are literally stitched together with external APIs, like Stripe for payments, Algolia for search, Nylas for emails, and others. Third-party APIs are behind the scenes, enabling what Gartner calls the "composable enterprise." Impressively, 90% of developers are using APIs in some capacity, and 69% use third-party APIs, according to a SlashData survey.

‍

As third-party API consumption increases, it's increasingly important to consider it within the holistic API journey. Doing so can yield benefits such as cost savings, better inventory management, and improved performance monitoring. Below, we explore these areas to understand why API management should encompass the entire API journey, including third-party API consumption.

To Unlock Smart Cost Savings

‍

Organizations are projected to increase their PaaS spending by 21.5% in 2024. Ballooning cloud costs are getting a little out of hand, and there's a strong case for IT leaders to optimize spending on third-party APIs. This is an area that traditional API management has yet to fully address.

‍

API management focusing on egress could implement optimization techniques such as caching, throttling, and delayed queues for managing third-party APIs. Developers see cost-effectiveness as the top advantage of such an egress proxy, according to the 2024 "The Evolution of Third-Party API Management" report. For example, this layer could identify cost differences between similar AI services and divert traffic accordingly.

‍

Consider optical character recognition (OCR) APIs. There are numerous OCR APIs on the market, each following similar processes to generate text from unstructured media. With so many options available, an intelligent gateway could choose the most optimized service based on the prompt. Third-party API management could also help operationalize more processing-heavy LLM-based computations to reduce cost.

‍

To Increase Awareness of API Usage

‍

Most organizations don't have a complete footprint of their internal API portfolio, and your typical inventory of external integrations is likely as patchworked — if cataloged at all. An EMA survey found that over one-quarter of APIs are undocumented. Poor service discovery stunts API usage, and various industry reports say a lack of documentation is a top obstacle to consuming APIs.

‍

Interestingly, the OWASP API Security project now lists API9:2023 - Improper Inventory Management as a significant risk factor. So, it's not just the developer experience that matters — security concerns may also arise from a lack of API awareness. As such, third-party API dependencies should be considered just as important to track as any other type of API.

‍

While it's true that most APIs are private (61% according to the Postman 2023 State of the API Report), an API management strategy that focuses only on cataloging APIs that are produced, rather than consumed, leaves a significant gap. Unknown dependencies on shadow integrations can pose risks.

‍

To Upkeep Secure, Stable Integrations

‍

Another reason to consider third-party APIs within the entire API journey is to enhance uptime to meet service-level agreements (SLAs). Latencies, outages, or breaking changes in external APIs can produce errors in client applications, which can negatively affect end users. By monitoring these integrations, you could expose these irregularities and even route them to alternative endpoints to keep things afloat. Furthermore, input validation for third-party APIs has become necessary lately, as API10:2023 - Unsafe Consumption of APIs is another new entrant to the aforementioned OWASP list.

‍

To Improve Developer Experience For Maintenance

‍

Developers are wasting significant time trying to manage their third-party API consumption. According to The Evolution of Third-Party API Management report, 88% of companies agree that third-party API-related issues require weekly attention, and 60% say they spend too much time troubleshooting these issues.

‍

The API industry is obsessed with optimizing time to first Hello World. While streamlining the initial API onboarding is great, the reality is that it takes significant effort to maintain API integrations for the long run post-integration. Therefore, the conversation around API management must also consider the entire API integration lifecycle, from release to deprecation, to truly encompass the actual developer experience.

‍

To See The End to End Picture

‍

So far, we've discussed the benefits of bringing egress traffic under the API management umbrella. What's more important is seeing the entire journey, from end to end, since inbound API calls often will propagate and generate additional external API calls. Understanding how and when these API calls have been created per user helps generate an accurate cost per consumer, aiding FinOps and internal chargeback use cases.

‍

Secondly, merging ingress and egress traffic in this way could greatly inform identity and access management (IAM) concerns. The visibility that an outbound API management layer offers could fill the missing piece in IAM, helping to inform security controls for outgoing traffic. 

A Brand New Category: API Consumption Management

‍

APIs are the programmatic pathways to consume software-as-a-service, helping engineering teams build decoupled, distributed applications that avoid reinventing the wheel. Yet, until recently, the typical API managers have only considered ingress, not egress. The complexities of API consumption management are often overlooked.

‍

Greater management and governance of third-party APIs could better illustrate the range of API use cases in today's software development teams. Of course, other strategies are required to fully address the entire API journey, especially as more non-developers, like low-code or business users, are working with APIs than ever before (53% of the folks who participated in the Postman survey were non-developers). Additionally, executive interest in APIs has heightened, meaning developer portals should appeal to a broader range of users.

‍

But when considering the overall API journey, third-party API management is a low-hanging fruit. To date, attempts to build API egress gateways have largely been ad-hoc, homegrown, and not super scalable. That said, new technologies are emerging to help API consumers make sense of their third-party API dependencies — hopefully before tooling sprawl settles in. 

‍

As the API economy matures, it will be interesting to see how this new category of API consumption management evolves to enhance and streamline software development. I recommend technology leaders keep an eye on this evolving space to learn the practices required to finally see the entire API journey.

‍

***

Bill Doerrfeld is a tech journalist specializing in state-of-the-art technologies in the cloud software space. He is the Editor in Chief for Nordic APIs, a knowledge center for API practitioners. He also contributes to various enterprise tech publications. Through his work, he strives to tackle complex problems to advance the industry. He lives and works with his family in Portland, Maine.

Website: https://www.doerrfeld.io/
LinkedIn: https://linkedin.com/in/doerrfeldbill
X: https://twitter.com/doerrfeldbill