WSO2 API Manager is a 100% open source API management solution, complete with API publishing, lifecycle management, developer portal, access control and analytics.
2. Agenda
o Introduction
o Creating APIs
o Protecting APIs
o APIs Lifecycles
o Developer Portal
o Testing APIs
o API Gateway
o Deployment
o API Analytics
4. APIs for Business Innovation
o API - Business capability offered via a digital channel
o Open internally and/or externally
o Monitored
o In some cases, monetized
o Fuel for rapid innovation, development of new apps
Image: thinkpublic/photopin cc
6. WSO2 API Manager
o The only complete, 100% open source API Management solution
o A cleanly integrated system supporting API publishing, lifecycle
management, developer portal, access control and analytics
o Backed by high performance gateway
o A single node supports more than 100 million requests/day
o eBay handles up to 4.6 billion requests per day at peak times
(Cyber Monday)
0
7500
15000
22500
30000
June-Dec 2013 Jul-Dec 2014 Jul-Dec 2015
Product Downloads
0
28
55
83
110
138
Dec 2014 June 2015 Dec 2015
Production Customers
7. WSO2 API Manager cont.
o Includes Social enablement such as ratings and tagging
o Supports single-sign on with Facebook, GoogleApps, etc.
o Named a Strong Performer in this space by Forrester in 2014 and
2015
o Best API Design across all vendors
o Best Solution Cost for on-premise solution
o Extremely Satisfied customers
o Available on-premise, as managed deployment and as SaaS
application (API Cloud)
8. Competitive Advantage
o API Management is part of a complete platform
o Integration
o Security (Identity Management, Federated Identity)
o API Analytics
o Open Architecture
o Custom security tokens and grant types
o Custom store/developer’s portal user interface
o Custom user’s repositories
o Custom transports to back-end
o Available on-premise, as managed offering, as SaaS offering -
Same code everywhere
9. Competitive Advantage cont.
o Scalable Architecture
o Each component (Gateway, Dev Portal, Admin Portal, Key Server)
can be deployed and scaled separately
o Over 5000 TPS for a single node
o Business Model
o Subscriptions only for production systems - Makes cost very
competitive
o Pricing is adapted to small, medium and enterprises customers
o Cost linked to instances, not to machine power
o No community vs. enterprise distinction
10. Typical Use Cases
o Expose APIs for internal
consumption
o Manage APIs used in
internal applications
o Internal Monetization
o Control Access to Cloud Services - Manage and secure access from
internal applications to cloud services (e.g. SalesForce and Google Apps)
o APIs for public consumption
o Extend your business through APIs
o Integrate with partners and customers
13. Getting Started
o For REST - Start from existing API definition (Swagger 2.0) or
start from scratch
o For SOAP - Start from WSDL and generate default mapping and
definition
18. API Access Tokens
o OAuth2 standard compliant
o Supports multiple Grant
Types
o SAML, IWA/NTLM
o Client credentials, Implicit,
Password
o Pre-generated Access
Token - Mostly used for testing
o On-demand Access Token -
Generated via API call to the
Gateway, using any of the
supported Grant Types
o Tokens can be refreshed/
revoked via API calls as well
19. Pluggable OAuth Authorization Server
o OAuth token management is by default done with WSO2’s Key
Server (based on WSO2’s Identity Server)
o Can be replaced by third-party authorization server, capable of
creating, refreshing, validating, revoking OAuth tokens
20. Limiting Access to API Resources
o Achieved through OAuth scopes - Scope defines what can be
accessed by a token
o How to request a token
grant_type=password&username=john&password=john123&scope=news_read news_write
21. Throttling & Rate Limiting
o Throttling
o Regulates API traffic
o Makes APIs and applications available to consumers at different
service levels
o Secures APIs against security attacks (e.g. DoS attacks)
o Throttling is controlled through tiers-based policies - A tier is defined
by a time duration and a maximum no of requests during that duration
o Tiers can be applied at application, API and API resource levels
22. Throttling & Rate Limiting cont.
o At subscription time, API users can choose tiers they can
subscribe to - This default behavior can be overridden through
usage of workflows
o Throttling policies encompasses:
o Standard usage quotas of total subscriptions and resources
o Rate limiting based complex, extensible and dynamic rules,
scenarios and events
o Complex throttling policies (with transport headers, IP addresses,
etc.) can be created on the fly
o Facilitates blacklisting users/applications abusing rate limits
24. JWT Token Creation
o Using JSON Web Tokens
(JWT)
o Lightweight
o Can be signed
o Easy to parse and consume
o Standard
o JWT Structure {token info}.
{claims list}.{signature}
o Base-64 or Base64 URL
Encoded
o Contents of JWT are
configurable
26. API Lifecycle Management
o Create new APIs from
existing versions
o Deploy multiple versions in
parallel
o Deprecate versions to
remove them from store
o Retire them to un-deploy
from gateway
o Keeps audit of lifecycle
changes
o Supports custom lifecycles
leveraging WSO2
Governance Registry
28. Discover APIs
o Users can search APIs by name, provider, version number,
context, description, meta-data from docs, etc.
o Tags to easily find all APIs related to a same domain
o Notifications on new API versions
29. Social Features
o Share with fellow developers via social media or mail
o Embed API link into blogs, Tweets, etc.
30. Forums
o Rich editor embedded within interface
o Forums are searchable and indexed
31. Customization
o All API store functionality available through REST API
o Customization through CSS, HTML5, JavaScript
32. Monetization
o Configurable payment schemes to monetize API usage
o Monetization rules are associated to Tiers
o Supports Free, Paid, Freemium models
o Usually coupled with 3rd party invoice/payment plans software
(such as Zuora)
34. Embedded API Console
o Part of Swagger tooling suite
o Integrates token access for fast testing
o Gives direct access to Swagger definition of API
o Support Swagger schemas for predefined values
38. Message Transformation and Mediation
o Custom mediation flows can be created by a developer and just
engaged by API Creator
o Mediations flows can be created using Developer Studio and directly
published to API Manager
o Full power of WSO2 ESB mediation language
o Graphical and Source view
o Mediations flows are tenant-specific (not visible/usable across tenants)
39. Workflows
o Provides extension point to engage custom workflow
o Default sample implementation leverages WSO2 Business Process
Server but a simple Java-based implementation or another BPM
engine can also be used
o Supports redirecting to third-party entities
o Available for user self-sign up, API subscription and application
creation
41. Component Deployment
o Out-of-the-box, all components are packaged together
o They can also be deployed separately in an HA scenario – Active/
Active, Active/Passive
43. Multi-tenancy
o Creation of multiple domains (tenants)
o Each domain can have their own store or publish APIs to a central
store - This is transparent to consumers
o Typical Use Cases
o Segmenting publishers by business unit or partner and restricting
editing rights by domain
o Create an API marketplace - one-stop store for domain APIs
o API Cloud heavily leverages this functionality
44. Recommended Deployment: API Facade Pattern
o API Gateway acts as simple reverse proxy, enforcing policies and
collecting monitoring information
o Specific security checks/protection at edge of the network
o Invalid requests are stopped at the edge of the network
o Clear separation of concern between layers
o The mediation and API management layers scale independently
o You can combine the Façade and Mediation layers (if required)
and run as a single architecture layer
45. WSO2 Platform Deployment Options
o Stand-alone servers
o Private clouds:
e.g. Stratos, Kubernetes
o Public Clouds:
e.g. AWS
o Hybrid deployments
o Dedicated hosting of any WSO2-
based solutions
o WSO2 operations team is
managing the deployment and
keeps it running
o 99.99% uptime SLA
o Any AWS region of choice
o Can be VPNed to local network
o Includes monitoring, backups,
patching, updates
o Shared public cloud,
o Currently available for application
and API hosting (hosted API
Manager and App Factory),
o Preset multitenant deployment in
AWS US East run by WSO2,
o Month-to-month credit card
payment
47. Analytics
o WSO2 API Manager out-of-the-box supports Google Analytics and
WSO2 Analytics
48. Importance of API Management & Analytics
Combination
o Build confidence in the API model
o Understand your customer - Not just the developer but also the end-
user of APIs
o Helps manage services and versions - Understand when deprecated
services can be retired
o Be notified when abnormal events take place
o Plan better
o Monitor the growth of aggregated API traffic
o Monitor the growth of specific apps
50. WSO2 Analytics Platform cont.
o Out-of-the- box reports covering all aspects of
o Subscriber behavior
o API usage
o Performance
o Can publish your own events from any API and build your own
dashboards
51. Reports for API Creators & Publishers
o Stats on APIs
o Published APIs Over Time
o API Usage
o API Response Times
o API Last Access Times
o Usage by Resource Path
o Usage by Destination
o API Usage Comparison
o API Throttled Requests
o Faulty Invocations
o API Latency
o API Usage Across Geo
Locations
o API Usage Across User Agent
o Stats on Applications
o App Throttled Requests
o Applications Created Over Time
o Stats on Subscriptions
o API Subscriptions
o Developer Signups Over Time
o Subscriptions Created Over
Time
53. Reports for API Subscribers
o API Usage per Application
o Top Users per Application
o API Usage from Resource
Path per Application
o Faulty Invocation per
Application
54. Real-time API Behavior Analysis
o Leverages real-time analytics streaming engine
o Detects fraudulent token usage - Indication of lost tokens via alerts on
abnormal token renewals and unseen source IP access (abrupt changes to geo-
location)
o Supports API product managers to provide better customer
service
o Alerts when API response time is outside normal parameters, indicating a
potential SLA breach
o Alerts when apps/users are throttled out for hitting the current subscription
tier - potential opportunity to proactively propose a tier upgrade or to adjust
SLAs
o Detect when APIs are not used as expected
o Identifies erratic behavior and supports capacity planning
o Alerts when a sudden spike/drop in the request count in a given duration for
an API resource – Possible indication of a system problem
o Determining trends in increased response times – Indication of potential
issues with APIs or backend system capacity
55. Why Real-time Analytics for APIs ?
o Blacklist & whitelist verifications in real time
o Detect trends
o Detect incoherencies in trends
o Detect API calls sequences that you don’t want to allow
o Detect non-usage scenarios ( raise alerts on poor usage of a
certain API)
57. Log Analysis
o Log Analysis through reports on low-level system operations:
o Log events - Overall statistics of the types of log events created in a given
time period
o Application errors - Breakdown of error log events based on exception
category and error message
o Artifact deployment stats - Number of artifacts deployed in a given duration
o Login failures - No of failed login attempts in a given duration
o No of API failures
o Access token-related issues
o Ability to view live log events on per-tenant basis