The API economy is in full tension in the future. The API management market alone is expected to expand by 35% by 2025, powered by the massive number of web APIs coming into the market. APIs are becoming ubiquitous across microservices architectures, generic product initiatives, SaaS platform offerings, Internet of Things, and partner integration.
The industry has mushroomed and kept changing, introducing new use cases for APIs across all industries. This ubiquitous presence creates a growing need for API software to maintain a high-quality developer experience and stay ahead of the competition. There are also different styles and spec options on the market, which means designing the right API strategy is a moving target. Amid the height of cyber attacks, developers now have a strong imperative to maintain a high level of security and reliability for these integration points.
I recently met with the CEO of Stoplight, Steve Rodda, to discuss the above trends and other forces driving the API industry forward in 2022. Below, we’ll dive into these trends to see how they affect API strategies and what developers need to know to stay informed on their applications.
Non-software companies adopt APIs
As software devours the world, more and more companies are becoming software companies. An API strategy is an integral part of this digital transformation. A big trend that Rhoda recognizes is the increase in API strategies among companies that do not traditionally rely on software.
For example, Rodda demonstrated how a large beverage manufacturing company has evolved to adopt company-wide APIs in order to better use and scale their data. Rhoda said that standardizing the API development and design process helped avoid the “rat’s nest” of custom code. “APIs are no longer a by-product; they are an artifact in design,” he said.
APIs are no longer reserved for startup unicorns running in the cloud like Stripe or Twilio either. We are now seeing many industries and sectors such as supply chain management, healthcare, shipping, built environments, and mainframe modernization adopting API approaches. The financial services sector is particularly keen on opening APIs because open banking is driven by regional regulation or market pressures.
Rise in Internal API – First Reliance
ProgrammableWeb, the most comprehensive API guide, lists over 24,000 APIs at the time of writing. There is no doubt that public facing APIs are well documented. But this is only a small part of the total API adoption.
The 2021 Postman State of API report found that only 15% of APIs are publicly available. According to the report, most APIs are either partner-faced (27%) or private (58%). In fact, the most common use case for APIs is the integration between applications, software, or internal systems. Along with the growth of in-house API usage, API-first thinking is gaining mental stake. Postman defined API-first as “the identification and design of APIs and the base schema before developing dependent APIs, applications, or integrations.”
Rhoda said internal use cases are not frequently discussed but are prevalent in large organizations. Whereas in the past, development teams paid less attention to style guidelines and documentation for internal services, now he has noticed that these practices are changing. The mistrust approach influences teams to take extra care in defining and standardizing internal APIs if It is external. This also reduces consumption. “You have to take care of the people next to you and treat them with equal respect,” Rawda said.
The growing need for strong API security
APIs have a security issue. Many do not handle authorization properly and reveal a lot of information. A hacker can often escalate their privileges or simply switch a different user ID to an API call to return large amounts of sensitive data or even make changes to the data. Many HTTP API endpoints that are meant to be private are actually not. As a result, OWASP lists broken authorization at the object level as an API vulnerability.
In recent years, we’ve seen what can happen when APIs are incorrectly configured. For example, the Facebook API lacks permission checking for unlisted posts, allowing the client to post on behalf of any user. A similar licensing error occurred with Peleton allowing hackers to modify any user’s back account. APIs are constantly working with sensitive data and must navigate carefully the various data privacy regulations around the world.
According to Rhoda, a design first mindset is vital to fend off security issues early in the API lifecycle. This means deciding on a structure with a common design and choosing well-fitting style guides before coding. “Good documentation, good design evidence, and good discipline around building something of a cross-functional nature will increase security and scalability,” said Rhoda. He added that when you know what’s going on, you have more control and things are inherently safer.
OpenAPI holds today
The OpenAPI Specification, formerly known as Swagger, is an industry standard specification for describing REST web application programming interfaces. OpenAPI can help guide the design and development of your API. OpenAPI tools can also help create useful documentation, sandboxes, and software development kits, making them a valuable specification for creating interoperability between partners.
“OpenAPI will continue to operate for a while,” Rhoda said. The OpenAPI initiative has earned the support of the big names in the technology industry. However, Rawda estimates that only 40% of companies have adopted OpenAPI in production. Roda said he believes the tools will make it easier for more groups to maintain OpenAPI adoption across their organization, reducing the frequency of writing “another YAML file.”
REST is still the most adopted API design approach — 59.7% of developers use REST to produce APIs, according to RapidAPI’s State of APIs Developer Survey 2021. However, event-driven asynchronous communication protocols are gaining traction, and those protocols tend to to a preference for alternative description formats such as AsyncAPI. Websockets, gRPC, and GraphQL are other options that are constantly used by a large percentage of API developers.
The developer experience matches the user experience
Another major trend is the increasing importance of developer experience (DX). DX is closer to user experience but is about increasing the usability of developers for consumers and improving their ongoing relationship with software as a service. “DX is as big a deal as UI/UX these days, if not bigger,” explained Rhoda. “The developer experience translates directly into efficiency and reusability.”
In the context of APIs, more attention to developer experience means less setup effort and maintaining more reliable connections. For example, users are likely to look for other solutions if a third-party API has poor uptime and routinely introduces an abrupt change. Better DX will also likely equal increased layers of abstraction and more code generation. Rhoda points to GitHub’s CoPilot as an example of using AI and automation in future developer workflows.
“We have evolved as a developer community,” Rawda said. Just as consumers expect high-quality real-time applications, developers expect high-performance APIs. To help get there, an increasingly popular philosophy is the perspective of the API as a product. “If you treat everything as a product, you are building it to the same standards and quality that you would share externally,” he explains. “So, no attention to detail is missing.”
Final Thoughts: Design First Mental
More industries are using APIs than ever before, and APIs are leaking out to traditionally non-technical companies to aid their internal integration efforts. But data privacy is an urgent concern when opening data, and it requires careful measures. Taking a design-first approach with standards like OpenAPI can help organizations stay alert and ensure consistency across their suite of services.
There are other trends at work in the API economy as well. For example, one of Web3’s interesting initiatives is trying to integrate the world of blockchain and APIs by enabling on-chain smart contracts to interact with traditional HTTP APIs. There is also a lot of development activity around GraphQL, which can act as a command line to consume multiple APIs, making integration easier.
Rhoda said the biggest takeaway is that APIs should no longer be treated as byproducts. Compare it to a construction project: When building a house, you should start with a blueprint before installing the foundation, wall, roof, or electrical system. Likewise, APIs require strong forethought to ensure stability and scalability.