API Design & Development
Tuesday, October 26, 2021
One of the key functions of APIs are for enabling integration with other applications. During integration, there are many commonly occurring integration errors and issues related to data, connectivity etc. Today, the approach to resolve the issues is predominantly manual with a few parts automated. The session will present a forward-looking approach on building Self-healing APIs. Self-healing APIs is a concept where fault tolerance is built in to resolve common issues on data and connectivity. The APIs could also monitor themselves and report the need for additional infrastructure. AI and Machine Learning play a role in enabling self healing by improving the quality of the fixes and resolutions.
When defining APIs the most common considerations are from what our payload looks like, and then from a implementer perspective. However, good APIs whether they’re internal or public are far more than just a payload description and need a consumer’s perspective. In this session we look at what makes up a good API; from OWASP Top 10 implications to ISO and data definitions, to how to make it easy for your consumers, why these points are important and the implications. We’ll explore techniques to overcome of the challenges seen when producing good APIs. Whilst we all think we know how to define APIs, you’ll be surprised at the things that get overlooked or opportunities to be better.
Access to APIs is usually controlled through authentication and authorization. Authentication establishes the identity of the API client and authorization verifies if an identity can invoke an API and perform the requested actions on the desired resources. API keys, session cookies, signed tokens and client certificates are some of the mechanisms used for authentication and authorization. In this talk, we explore how the posture of the API client can be also used to determine if the API can be accessed. The geo-location of the client and the trust level of its host machine are examples of postures. Some API implementations have used the client posture as a decision point but they have been either unreliable (e.g. using the source IP address to infer the geo-location) or ad hoc solutions for specific postures that cannot be generalized to other cases.This talk examines how a posture can be part of a generic API invocation flow. We define a framework that can support any type of posture or a combination of types. The framework uses signed claims that can be challenged by the API owner. We focus on hardware-backed claims, which are much harder to spoof than software claims. We also look at how posture verification can be integrated into existing authorization frameworks like oAuth. The talk uses 3 examples of postures: geo-location, host trust level and clients running in a Trusted Execution Environment (TEE).
Every thriving API program leverages the elements from business and technology equally. Alignment of business and technology strategy, the synergy between business and technical teams, and adaptability to the changes coming from either business or technology are fundamental characteristics of such an environment. Asanka will look at four areas, federation and business models, moving to the cloud, polyglot and heterogeneous approach, and modernizing development during this talk. He will also share real-world examples based on his involvement in numerous success stories.
API security is hard. API breaches now account for the majority of application/data breaches. Most web, mobile apps lack basic API-centric firewalls and gateways to protect app/data. This session will cover what developers need to know about the top API vulnerabilities and how to build an automated & continuous API security strategy
Building Idiomatic API Client Libraries across multiple languages is hard. Maintaining them is doubly hard. Learn how we programmatically generate API client libraries from OpenAPI Specification files to optimize our time & value for API users.
Wednesday, October 27, 2021
More and more companies are faced today with unique challenges of how to authenticate and authorize their APIs. This is so common and now Broken Access Control has taken the number #1 vulnerability on the OWASP top 10.
In this session, we will go over the best practices on how to authenticate and authorize your APIs, from design phase to real time implementation phase. We will handle authentication, authorization, access control and multi-tenancy aspects of API management including real life examples from RESTFUL and GraphQL based APIs.
In 2020 the worldwide annual cost of API development reached 100bn USD. As the global pandemic further accelerated the push for digital transformation, the need for connecting business digitally reached the all-time maximum. Yet, we are still manually wiring our systems together. We hard-code our applications in a process hardly scalable and borderline reliable.The autonomous integration pattern enables applications to discover, contract, and connect automatically without worries about maintenance. Private and public registries of business capabilities will form the backbone of Autonomous Integration Mesh and replace word-of-mouth and web search. Self-navigating and self-healing API clients will reduce the need for tedious work and provide blazing-fast resilient connections. Finally, API clients will contract and purchase digital capabilities opening the new era of all-digital sales and AI trading.This talk will explore autonomous API integration and discuss its practical implementation, cost, and time reduction impact on current API practices.
API development is challenging. Effective API development involves understanding API usage patterns, managing user feedback, ensuring the system can handle heavy API usage, and making difficult tradeoffs to ensure that end-users, API users, and developers supporting the system are all happy. So, how should you do it?
In this talk, I'll cover some guidelines for API development that can help reign in these challenges: writing an effective API spec, understanding what to get out of an API review, and getting feedback from early adopters through a beta testing program.
I'll also make the case that incorporating telemetry and observability tooling into the process can help you achieve more confidence in what you're building as you're building it. By capturing wide events across your entire API surface area, you can do things like correlate usage of one API with another to see if people are doing what you would want them to do and understand who is pushing your systems to its limits without getting paged in the middle of the night about a problem in the wild.
Throughout the talk, I'll reference real-world examples of building APIs at Honeycomb. We've seen tangible benefits to utilizing observability tooling in the development process. After this talk, you should have the information you need to reap similar benefits.
Organizational efforts to adopt microservices will more easily fail because of how our understanding of what a microservice is has shifted from its original meaning. In this presentation, we will look at the current communication paradigm of microservices and how this leads us down the road to massive amounts of unnecessary operational complexity compared to proper microservices or even a monolith. We will further discuss ways to avoid these common pitfalls to improve the likelihood of success.
Modern digital ecosystems generate revenue by connecting users and data. This is where APIs play an integral role; APIs are instrumental in achieving revenue goals and the overall success of a business. They are everywhere nowadays, allowing developers to unlock new opportunities for innovation. This presentation outlines the importance of the API-first strategy that enables agile business, adds a lot of flexibility, and is a prerequisite for getting great at digital. The audience will learn about the consumer-centric approach, the consumption with an outside-in perspective, and the value of the feedback loop when designing APIs. It is meant for technical people involved in creating interfaces that empower 3rd-party developers and API evangelists.
A few years ago DataStax launched a new offering of Cassandra-as-a-service in the cloud named ASTRA (astra.datastax.com). You might think that starting databases from web pages would have nothing to do with APIs, well you are wrong.
During this session we will go over the different APIs that have been designed, how and why. Most choices made will be detailed covering wide categories such as technology, languages, interface, versioning, maintenance or billing. The tooling needed to make your product a success (SDK, CLI, Terraform...) will be also presented. No surprises, the platform leverages on cloud providers services and API. Come and learn why a DBaaS is just an API calling other APIs.
Applications and APIs today are expected to evolve rapidly and continuously, or to face disruption. This has driven the need for the agility enabled by Microservices. Meanwhile, mobile has driven both a dramatic increase in data volumes and levels of interaction, while also driving expectations for always-on applications and faster response times.
This talk will cover key architectural elements of cloud-native Microservices that can process at Giga-scale, where event streams or user interactions can require or even one billion events per second. Distributed computing architectures for delivering this scale while also achieving 99.999% uptime will be explored, including in-memory and data locality, elasticity and resilience. The talk will also cover new challenges for building transactional apps in these architectures, such as: service discovery, retrying, load balancing, tracing causes of failures, transactional semantics.
I am a big believer in the philosophy of working backwards from the customer. Although there has been a lot of focus and impetus on working with Specifications first and Code last; my aim in this talk is to take this one step further.
I believe that one should start with the developer and their integration experience first and then work backwards from there to define the specification and finally resulting in code.
There are significant advantages to this approach and I plan to use the talk to share about how do I do so in practice and how teams can build the muscle although it initially feels not natural to do so.
Jonas Iggbom, Director of Sales Engineering at Curity will provide an overview of what a Hypermedia API is and how it can be used for browser-less authentication on iOS and Android. This coupled with the WebAuthn standard for passwordless authentication provides a great user experience especially on mobile devices where the browser context does not have to be invoked and for example FaceID can be used to authenticate the user. Jonas will demo an approach where both technologies work in synergy to provide the most seamless user authentication possible on mobile devices today.
Large public GraphQL endpoints have all advertised a notion of GraphQL cost for years, and various GraphQL servers and open source projects have implemented GraphQL cost calculations. In 2021, an effort has begun to standardize how systems communicate GraphQL cost to each other, which has promise to dramatically ease securing these systems and thus opening up many more big public GraphQL endpoints. Join us to learn about this effort, and how it can benefit you and your GraphQL strategy.
If you’re working with OpenAPI, the first question you have to solve is how to get that document written. An implementor can generate a server based on a spec, generate a spec based on a server, or write a spec independent of a server. Ed’s done all three, and will share some of his findings from putting each into production.
The good news is you've built an amazing API for your customers and partners, but the bad news is that's the easy part. The hard part is getting them to actually use the API, ensure they are successful, and create advocates to tell others about how incredible your platform is. So how do you go about building a vibrant ecosystem of developers around your API? Where do you invest? Do you hire a Developer Relations team? A Developer Marketing team? Technical Writers? Sponsor a million events? And how do you manage budget and expectations to ensure long term success??? In this session we'll take a look at some of the most successful communities, how they've become successful, and how you too can build a vibrant developer ecosystem without breaking the bank.
Thursday, October 28, 2021
Design First approaches are growing in popularity when it comes to API design. This allows all teams working with API to work together, using a common, human-understandable language to define the specifications of the APIs to be implemented. With all stakeholder views being represented, Design First approach allow to create product driven APIs, with short feedback loops, and help drive parallel development of applications.
In this talk, using an example of building a simple API definition, we will:
- Go through the principles of “Design First Approach”
- Examine the benefits this approach brings
- Look at an example workflow from beginning to end using Design First to build a simple application
Apache Cassandra™ is an incredibly powerful, scalable and distributed open source database. Companies with extremely high traffic use it to provide their users with consistent uptime, blazing speed, and a solid framework. However, many developers find Cassandra to be challenging because the configuration can be complex and learning a new query language (CQL) is something they just don't have time to do.
Stargate is an open source project which sits on top of Cassandra and provides HTTP interfaces to your data - it provides a REST API, a GraphQL API, and a Document API (schema less, similar to MongoDB). You can install it on top of your own Cassandra instance and participate in the community.
Don't just take my word for it, you can get a free Cassandra instance in the cloud from DataStax. The Astra databases do all the configuration for you up front - they're serverless so they scale as your database needs, and you only pay for the traffic you actually use.
With Astra DB, you can set up proof of concepts and create applications to explore whether Cassandra/Stargate is a system that will work for you. In this session Kirsten will demonstrate a TikTok clone which uses React and Netlify to provide a completely serverless application in the cloud.
API gateway technology has evolved a lot in the past decade, capturing use cases in what the industry calls "full lifecycle API management." API gateways allowed developers to expose and consume the APIs, secure them, and govern API traffic. However, today, they provide a series of functionalities to support the complete development cycle, including creating, testing, documentation, monitoring, event monetization, monitoring, and overall exposure of our APIs. Another pattern emerged from the industry around 2017: Service Mesh! Service Mesh is an infrastructure layer for microservices communication. It abstracts the underlying network details and provides discovery, routing, and a variety of other functionality. Many attempted to describe the differences between gateways and service meshes. This talk will also discuss the similarities and differences between the communication layer provided by gateways and service mesh. I want to illustrate the differences between API gateways and service mesh — and most importantly when to use one or the another pragmatically and objectively.
Foursquare presents the Product Manager's Extra Credit guide to building an A++ Enterprise API. Building an exceptional enterprise API is no easy feat. Earlier this year, Foursquare launched the new Places Enterprise API, built from the foundation of our renowned Developer API. In this session, we'll take you through every step of the process to create a delivery method that can meet enterprise standards and upgrade the developer experience - from understanding your customer's UX criteria and auditing the performance and security of your API infrastructure, to best SLA practices and everything in between.