6 Pillars For A Best In Class Api Strategy

An AI Gateway won’t lick each of a developer’s API problems, Jason Ehmke told audiences astatine nan Kong API Summit 2025 successful New York.

Right now, it’s really nan API Wild West, nan main exertion serviceman and co-founder of DevGrid told audiences during his Oct. 15 presentation, “Creating a Best successful Class API Strategy.” DevGrid is an engineering operations level that provides visibility into package teams and tech stacks.

While AI gateways are a cardinal portion of an API management strategy, they’re not capable alone, he contended.

“You don’t cognize who’s successful it aliases not,” Ehmke said. “You person authentication forced successful there, but you’re opting in. It’s not mandatory. It’s your complaint limiting, but you don’t cognize what you’re complaint limiting for?”

Predictably, this leads to problems. Ehmke shared immoderate related statistics:

• 15% of IT and security professionals interviewed had assurance successful their API Inventory, according to Salt Security.
• More than 50% person delayed releases for API security, according to different Salt Security report.
• 84% had an API information incident, according to Akamai Security’s 2024 API Impact Security Study.

“Most group person API information incidents aliases person delayed releases from API information — it’s a thing. You’re not unsocial pinch these problems,” he said. “But nan breaches are expensive, possibly thing minimal, possibly thing big. They are incredibly expensive.”

To tame this Wild West of APIs, Ehmke called for IT divisions to put successful an API platform, which tin automate information and governance successful ways API gateways do not, he said.

API Wild West

As it stands, galore organizations find themselves pinch questions astir their APIs, he pointed out: There are aggregate customer APIs — which is nan correct one? Is that endpoint expected to beryllium public? Why did nan customer find a PII vulnerability earlier IT did?

An API gateway gives you immoderate information, but not enough, he contended. Specifically, it provides:

• A proxy, but nary thought who hasn’t migrated;
• Authentication, but it’s opt-in alternatively of mandatory.
• Rate limiting but nary business context; and
• Metrics, but conscionable petition counts.

But Ehmke said developers besides request to know

• Who owns which APIs, erstwhile they break astatine 3 a.m.?
• Which APIs tin beryllium retired without breaking production?
• How to find APIs alternatively of building duplicates, and
• Whether APIs are compliant pinch existent evidence.

“It’s clip to build a level that really governs,” he said.

An API Utopia

Contrast nan Wild West pinch nan thought of API Utopia, which he defined arsenic providing:

• Full real-time visibility of APIs;
• Security built successful automatically.
• Reuse API creation blocks, enforcing standards;
• Delivery 3 x faster delivery;
• Compliance wherever auditors and regulators go your fans; and
• APIs that tin beryllium monetized easily.

“You tin person afloat visibility, security, reuse, transportation and compliance and monetization each successful a azygous unreality by reasoning of it is much than conscionable a gateway,” Ehmke said. “A gateway is portion of nan posture, but it’s not enough.”

The 6 Pillars of API Platform Success

To get there, he recommended embracing six pillars of API Platform success.

“We tin get better. We tin get much done faster,” he said. “We tin trim our information incidents and we tin person little improvement costs,” he said. “Thinking of it successful six different pillars helps conscionable to wrap your heads astir what I should beryllium reasoning of connected my API level versus conscionable a gateway.”

Pillar 1 is to found clear policies and standards, wherever governance is mandatory. Pillar 1 intends requiring:

• The usage of OAuth;
• Version each APIs;
• Document afloat each APIs; and
• Requiring each APIs to walk information tests.

“These are nan things that you put into code, put into law,” Ehmke said.

Pillar 2 is nan API lifecycle management, from designing, done building, testing, deploying, operating and retiring your gateway.

“These are automations and devices that you built successful your platform,” Ehmke explained. ”Everything should beryllium classified successful your level truthful that you don’t accidentally get to accumulation [and] nan API leaks a societal information number. Again, these things hap without nan correct checks and balances successful place,” he said.

For instance, to creation a gate, you should guarantee it’s OpenAPI 3.1 valid, includes information schemes, car flows are defined, location are owners successful nan catalog and information classification, he explained. Building a gross requires a backward compatibility check, semantic versioning, statement tests, arsenic good arsenic assessments of its capacity and user impact.

The API Platform should handle:

• Inventory and ownership, truthful there’s a azygous root of truth for each endpoints;
• Contract testing, truthful that it auto-runs tests connected each change;
• Policy arsenic codification that enforces gates successful CI/CD and nan gateway.
• Progressive deliveries, specified arsenic a canary/shadow/rollback via nan gateway;
• A user registry that maps callers to versions and performs an effect analysis; and
• Observability truthful that Service Level Objective (SLO) budgets are wired to deploy rights.

Pillar 3 requires automation and tooling to grip nan creation time, tally clip and operations of nan platform. For instance, during nan creation time, location should beryllium codification procreation from specs, schema validation and mock servers used. Run clip should see complaint limiting and quotas; auth and translator and circuit breaking. Operations should let SLO to auto-rollback, certificate rotation and compliance reports.

“People are expensive. They return vacations, truthful automate everything that you can,” Ehmke said. “This is simply a large one. This is simply a batch of gaps successful security. API teams, characteristic teams, they tin get worldly done, but they don’t ever deliberation of nan large image of information and compliance.”

Pillar 4 covers information and compliance issues, including authentication, runtime protection and compliance. So, for instance, nether authentication, nan level should deliver:

• OAuth 2.0/Open Authorization/OpenID Connect (OIDC);
• mTLS for work mesh;
• API cardinal rotation;
• Zero-trust verification.

Runtime protection includes:

• DDoS mitigation;
• SQL injection blocking;
• Rate limiting per client;
• Payload encryption.

Compliance issues that nan level should reside see inventory attestation, Auth type reporting, integration pinch information tools, and audit logging.

Pillar 5 encompasses developer experience and steps that incorporated developers-helpful capabilities specified arsenic nan expertise to:

• Browse catalog of existing APIs;
• Generate from templates and SDKs;
• Auth/security pre-configured;
• Automated compliance checks;
• Self-Service everything.

“You will person a batch of guidance by putting everything … arsenic proprietary code, aliases make everything Build Your Own Adventure,” Ehmke said. “But if you make it an easy onboarding acquisition for your developers, make it upload your spec, get a proxy, I tin guarantee you that you’re going to person a batch much group breaking down your doorway to say, ‘I want to usage your caller proxy, because it’s truthful easy to use, I person everything retired of nan box.’”

Finally, Pillar six covers monitoring and metrics successful an API dashboard that tells developers nan full APIs, nan percent that is compliant, nan mean consequence time, information issues, API reuse and developer satisfactions.

Avoid nan Pitfalls

“Now location are immoderate imaginable pitfalls to each this, because you mightiness person nary buy-in, you mightiness not person nan correct buy-in,” Ehmke warned. “Sure you person your platform, but you haven’t talked to nan information team. You haven’t gotten their blessings.”

The astir communal 5 pitfalls that create problems are:

1. No executive teeth, truthful that group disregard nan requirements. Executives request to found difficult rules, specified arsenic nan CISO demanding that without information measures, nan API doesn’t deploy.
2. Another emblematic mistakes is what he calls “Gateway Theater,” which is assuming if you person a gateway, you’re secure.
3. Also — and we’re judge you’ve heard of this 1 — a communal pitfall is “The VP exception,” wherever a VP makes an objection “just this once” because it’s connected deadline. That leads to chaos. So guarantee immoderate exceptions are documented. “If personification pushes for an exception, it’s now their problem successful writing,” he said.
4. Making nan squad do everything manually to debar nan CI/CD pipeline, which will artifact bad aliases unsafe apps.
5. Developer revolt is besides a imaginable pitfall. Again, automation and a bully developer acquisition will thief successful avoiding that pitfall.

“Automate, automate, automate, and that’s nan developer experience,” he said. “If nan onboarding acquisition is truthful visible, developers will find a measurement to get their VP to springiness them nan objection of not utilizing it, and you’re backmost to quadrate one.”

Group Created pinch Sketch.