Traditionally, developers have seen APIs as tools to integrate different software systems or build applications. But, with the rise of digital transformation and the increasing demand for data-driven products and services, organizations recognize APIs' potential for generating revenue.
API-as-a-Product (AAAP) is a business strategy where an organization treats its Application Programming Interface (API) as a standalone product that can be marketed and sold to external customers.
AAAP focuses on providing a well-designed and well-documented API that developers can easily access and integrate. Features include developer portals, sandbox environments, and analytics tools that track API usage and performance. By treating APIs as a product, organizations can monetize digital assets, expand market reach, and foster innovation by creating new products and services. The API is not just how the product is delivered; it is the product that gets delivered.
Can You Give me an Example?
Some examples of well-known API products are:
- Stripe API: Allows developers to integrate payment processing into their applications.
- Salesforce API: Allows developers to integrate Salesforce CRM functionality into their applications.
- Amazon Web Services (AWS) API: Provides developers access to AWS cloud services, including compute, storage, and database services.
Role of the API Product Manager
Why bring up the Product Manager? "A major responsibility of an API product manager is the ability to clearly articulate the product’s value and benefits to internal stakeholders and end users." The PM is a major driver in AAAP.
PMs need to work interdepartmentally to look at all angles of an API’s uses and needs. Because the undertaking is more than just an easier technical way to work internally, all relevant stakeholders need to be involved.
In pressure situations to deliver a product ahead of competitors, there’s a danger of delivering that product speedily at the cost of stability and security. Is the customer willing to accept a speedily delivered product at the sacrifice of a stable and secure environment? That risk – at minimum, a reputational risk, if not a privacy and/or regulatory risk - has to be weighed by corporate leadership. In short, is delivering an incomplete product to make some money worth the future risk of losing an exponential amount of business?
Design thinking comes to mind. Design thinking is “a discipline that uses the designer’s sensibility and methods to match people’s needs with what is technologically feasible and what a viable business strategy can convert into customer value and market opportunity.” At Stoplight, we often refer to this as the design-first approach.
Here are some actions that API product managers should take when developing an API product:
(NOTE: Before getting into the following lists, checklists are necessary! Many items seem obvious, but with all the details involved, it’s easy to overlook one or more. And overlooking any one of these could spell big trouble).
Define the API Product Strategy
Define the product vision, mission, and roadmap that aligns with the organization's overall business objectives. This includes identifying target customers and use cases and defining the value proposition.
Conduct Market Research
Conduct market research to understand customer needs, competitive landscape, and industry trends. This research includes analyzing customer feedback and competitors.
Define API Design and Architecture
Work closely with the API development team to define the API design and architecture that meets customer needs and aligns with industry standards.
Implement Security and Compliance Controls
Ensure the API product meets security and compliance requirements, including implementing authentication and authorization mechanisms, encryption protocols, and other security measures.
Test, Validate, and Measure API Performance
Analytics tools will help test and validate the API to ensure it meets customer needs, performs as expected, and is reliable and scalable.
Provide Excellent Customer Support
External customers need to easily integrate the API product into their applications and troubleshoot any issues that arise, and they’ll rely on the product maker.
“API security is taking center stage for many organizations…” and this includes AAAP development. Chapter 6 of the book “Continuous API Management” says, “The implementation work in the create stage should include designing and building an appropriately secure infrastructure for your API...No API is too small or unimportant enough to risk being vulnerable.”
Because the API will be exposed to external customers who rely on it to enable their applications and services, developing an AAAP requires special attention to security considerations. Here are some of these considerations to bear in mind:
Authentication and Authorization
Implementing a robust authentication and authorization mechanism is crucial for securing an API to ensure that only authorized users can access the API. Support for strong passwords/passphrases, MFA and SSO should be factors.
APIs should validate all user input to prevent injection attacks and other types of security vulnerabilities. Validating user input such as data types, length, and format.
Implementing rate limiting is essential to prevent API abuse by limiting the number of requests that a single user or IP address can make. This can prevent denial-of-service attacks and other types of malicious behavior.
Ensuring TLS is operating helps guarantee that only the right users are decrypting and changing the data, protecting against eavesdropping and man-in-the-middle attacks.
The API should provide meaningful error messages without revealing sensitive information or exposing security vulnerabilities.
Logging, Monitoring, and Alerting
Implementing logging, monitoring, and alerting is critical for detecting and responding to security incidents. All API activity - including authentication attempts, request and response data, and errors - need to be treated.
Maintain version control of APIs to ensure external customers do not use deprecated or insecure versions.
What security considerations do customers need to be aware of when buying API-as-a-Product?
In addition to the above items, here are some security considerations customers should pay attention to when purchasing an AAAP:
For those handling sensitive data or operating in a regulated industry, verify that the API product complies with relevant regulations such as GDPR, HIPAA, and PCI DSS.
If the API product integrates with third-party services, ensure these integrations are secure and do not introduce vulnerabilities into your system.
Documentation and Support
Ensure that the API product provides comprehensive documentation and support to help you integrate and troubleshoot any issues that arise.
Verify that the API product undergoes regular security audits and testing to identify and address any security vulnerabilities. While not all vendors have ISO 27001 or other rigorous compliance attestations, one can request relevant security documentation.
When vendors and customers consider the many aspects of AAAP, those products can be properly designed to provide a stable and user-friendly environment and maintain both business and consumer privacy and security. And that path can lead to improved and lasting business performance.
Ross Moore is the Cyber Security Support Analyst with Passageways. He has experience with ISO 27001 and SOC 2 Type 2 implementation and maintenance. Over the course of his 20+ years of IT and Security, Ross has served in a variety of operations and infosec roles for companies in the manufacturing, healthcare, real estate, business insurance, and technology sectors. He holds (ISC)2’s SSCP along with CompTIA’s Pentest+ and Security+ certifications, a B.S. in Cyber Security and Information Assurance from WGU, and a B.A. in Bible/Counseling from Johnson University. He is also a regular writer at Bora.