A popular trend in enterprise software development these days is to design client apps to be very decoupled and use APIs to connect them.
This approach provides an excellent way to reuse functionality across various applications and business units.
Another great benefit of API usage in enterprises is the ability to create those APIs using a variety of disparate technologies.
However, this approach also introduces its own pitfalls and disadvantages. Some of those disadvantages include things like:
Difficulty discovering or sharing existing APIs
Difficulty sharing common functionality across API implementations
Tracking of API usage/consumption
API Management is a technology that addresses these and other issues by providing an API Manager to track APIs and configure governance policies, as well as an API Gateway that sits between the API and the client. This API Gateway is responsible for applying the policies configured during management.
Therefore, an API management system tends to provide the following features:
Centralized governance policy configuration
Tracking of APIs and consumers of those APIs
Easy sharing and discovery of APIs
Leveraging common policy configuration across different APIs
The goals of Apiman are to provide:
An easy-to-use and powerful API Manager, handling user management and human interaction.
A low-overhead API Gateway to implement standard API management functionality (runtime enforcement.
Flexibility, allowing existing functionality to be adapted and configured to do what users need.
Extensibility, allowing new functionality to be added into Apiman via plugins and components.
Reuse, allowing existing Java codebases and Java skills to be reused for API Management purposes (without having to rewrite everything).
Some common API management use cases include:
APIs will very often have a security requirement such that clients connecting to the API must authenticate in some fashion.
Authentication can vary greatly both in the protocols used to authenticate and the identity source used for validation.
It can often be convenient to provide authentication at the API management layer to free up the back end API from having to do this work. This approach also has the side benefit of centralizing configuration of authentication for a wide array of disparate APIs.
Therefore, the API management layer must provide authentication capabilities using a wide range of protocols including BASIC, digest, OAuth, etc.
The API management layer is a convenient place to ensure throttling (also known as rate limiting) to your APIs. Throttling is a way to prevent individual clients from issuing too many requests to an API. Because all requests to an API go through the API Gateway it is an excellent place to do this throttling work.