A non-exhaustive list of Apiman's API Management features. Most of Apiman's functionality is customisable, and you can write your own plugins to provide capabilities that are not available out of the box. The Apiman team and community have also created a wide range of plugins that you can use.
Apiman should work on all operating systems that Java runs on.
Apiman has a hybrid RBAC-ABAC system.
Roles are globally defined personas that are assigned permissions (e.g. 'API Plan Administrator' has a range of
plan-related permissions such as
Within an organization, Apiman users are assigned roles that grant them the permissions from that role.
Apiman only supports post-hoc billing/monetization via metrics (e.g. Elasticsearch), but has no explicit support currently for up-front billing or payment capture.
In-browser/API notifications for a range of Apiman events, such as when an API signup needs approval, when someone signs up to an API, etc. Many are interactive, allowing the user to click through into the relevant resource.
We're continuing to add more as we identify useful events to notify users about. Can be disabled.
A new feature in 3.x, Apiman now publishes a range of events into an outbox table. By using CDC software such as Debezium, you can publish these events into event distribution platforms such as Kafka.
These events cover a range of topics, such as important entity state changes (e.g. API publication), and when actionable events occur (e.g. approval required).
You can use Apiman events integrate with external systems, such as business rules engines.
Apiman has a simple JSON-based API Registry capability out of the box to list external APIs that users can import.
By implementing a simple interface, you can interrogate your own registry instead.
Apiman imposes immutability on configurations of published APIs and Plans. This is to ensure that API publishers cannot silently alter the contract established between the API publisher and API consumer (e.g. change rate limits without telling consumer). A new version is usually required.
However, there are some situations where forcing a configuration update may be more appropriate, such as updating endpoints or fixing config mistakes.
You can set APIs to require manual approval before a subscriber is allowed to use it. This is typically used for APIs that require a due diligence process.
Apiman sends notifications to approvers, and the subscriber receives notifications on acceptance or rejection.
Events are also emitted, if you want to handle this automatically.
devportalrole in Keycloak.
You can set a global legal prose that all devportal users have to accept before signing up to an API.
If there is interest, we are considering adding a more fine-grained approach for managing legal prose that is attached to plans or APIs.
Policies govern traffic transiting the Apiman gateway. For example, rate limiting, security, or header and payload manipulation.
Using simple Java plugins, you can develop your own Apiman policies, enabling almost any kind functionality you can dream of, including schema-based UIs.
conf.json. For example, you could provide a custom rate-limiting component implementation.
- Maven Central
- Any Maven-compatible remote repository, such as Sonatype, JFrog, or Archiva.
- User-defined alternative directory.
By implementing a simple interface, you can allow Apiman to search for and import APIs from external API registries.
For example, if you have an API registry inside your organization, your custom Apiman registry could interrogate it, allowing users to quickly import those APIs into Apiman with its implementation details pre-filled.
Apiman is currently primarily an HTTP API gateway. For example, your RESTful Web API will work just fine.
Various protocols can run on top of HTTP, these should also work. Please let us know your results.
Policies are the bread and butter of Apiman, governing traffic passing through the Apiman gateway at runtime. They perform a wide variety of actions, including permitting or denying requests, modifying metadata (e.g. headers), and mutating the payload.
In this section, we briefly list the standard policies and plugins that ship with Apiman. Refer to the Apiman documentation for full information on functionality and configuration.
A key feature of Apiman is that you can create your own Apiman policies, and we welcome contributions. Refer to our developer's guide for more.
This plugin offers an OAuth2/JWT authentication policy that leverages the Keycloak SSO platform as the identity and access provider.
Much of its functionality can actually be used by a wider range of SSO providers than just Keycloak.
Roles can be extracted and used with authorization policies, or injected into headers to pass to backend services
You can implement your own custom policy plugin using Java.
You can make Apiman do almost anything!
See the extensibility section.
Identity & Access Management
For logging into Apiman Manager, Apiman Devportal, and managing access to the Apiman platform. You can also use your IDM/IAM solution with some Apiman policies (e.g. OAuth2 policy), but this is not mandatory.