FAQs for designing and developing APIs

This FAQ guide provides concise answers to common questions about developing and designing APIs using IBM API Connect. Learn how to create, version, document, and publish APIs, manage access controls, and enable developer-friendly features like interactive testing and spec uploads—all within IBM's powerful API Connect platform.

How do I create an API in IBM® API Connect
  • Using Developer Toolkit (Desktop Tooling)
    • IBM provides a developer toolkit that allows API creation on a local machine.
    • You can define APIs visually.
    • This toolkit supports:
      • API creation
      • Policy flows
      • API plans
      • Deployment to on-premise
  • Import existing definitions
    You can import:
    • OpenAPI specifications
    • WSDL services
    • GraphQL schemas
    • Existing endpoints (REST or GraphQL) to auto-generate proxy APIs
  • CI/CD integration
    API Connect integrates with DevOps pipelines via:
    • REST APIs
    • CLI tools
    This allows automated API creation, testing, and deployment.
Does IBM API Connect support API versioning?
IBM API Connect provides flexible and comprehensive support for managing multiple versions of APIs:
  • Version Metadata
    • APIs are built on the OpenAPI Specification, which includes a version field.
    • API Connect honors this field and uses it to manage versions internally.
  • Version management features
    • Dropdown menus in the API Manager UI allow users to switch between versions of an API.
    • Developers can clone an API to create a new version. This is a deep copy, including:
      • Schemas
      • Operations
      • Documentation
How to publish an API to the Developer Portal

  1. Create the API Definition

    • Use the API Designer (desktop toolkit) or API Manager UI to define your API.
    • You can create it from scratch, or import an OpenAPI spec.

  2. Package the API into a Product

    • IBM API Connect uses Products to bundle one or more APIs.
    • Define plans, rate limits, visibility, and subscription rules within the Product.

  3. Configure visibility and access

    • Set the visibility of the Product and API:
      • Public
      • Authenticated users only
      • Specific developer organizations
    • Configure subscription approval if needed.

  4. Publish the Product to a Catalog

    • A Catalog represents an environment (e.g., Sandbox, QA, Production).
    • Use the API Manager to publish the Product to the desired Catalog.
    • This makes the API available in the associated Developer Portal.

  5. Enable “Try It” Functionality

    • Ensure the API supports CORS and OPTIONS methods.
    • This allows developers to test APIs directly from the portal.

  6. Monitor and Manage

    • Use Analytics to track usage, errors, and performance.
    • Manage subscriptions, revoke keys, and communicate with developers.
Does API Connect support GraphQL?

Yes. It includes declarative support for GraphQL with schema introspection and low-code building blocks.

Does API Connect integrate with CI/CD pipelines?
Yes. It offers REST APIs and CLI tools for seamless DevOps integration.
Can existing OpenAPI or WSDL definitions be imported?
Yes. API Connect supports importing OpenAPI, WSDL, and GraphQL definitions.
Does IBM API Connect support Open API 3.0?

Yes, IBM API Connect supports OpenAPI 3.0 specifications.

Support details:

  • You can create and publish APIs using OpenAPI 3.0 in API Connect.
  • Products can include a mix of OpenAPI 2.0 and 3.0 APIs.
  • Validation is available via the API Connect CLI (apic validate) and API Manager.
  • The oai_version property indicates the OpenAPI version for an API object.

Gateway compatibility:

  • OpenAPI 3.0 is supported only on the DataPower API Gateway, not on the older v5-compatible gateway.
For full details, see OpenAPI 3.0 support in IBM API Connect
Does IBM API Connect support gRPC?
IBM API Connect does not currently support gRPC natively. It primarily focuses on managing REST, SOAP, GraphQL, WebSocket, and AsyncAPI-based APIs.
How to configure OIDC in API Connect?

To configure OIDC (OpenID Connect) in IBM API Connect, you have two main approaches depending on your use case:

How API Connect can be used to secure my APIs?
IBM API Connect provides multiple features which can be used for easily securing APIs. For details, see Securing your APIs.
1. Authentication & Authorization
  • OAuth 2.0 / OpenID Connect: Configure native or third-party OAuth providers for token-based authentication.
  • API Keys: For simpler use cases, but combine with TLS for security.
  • LDAP / Enterprise User Registries: Integrate with corporate identity systems for user validation.
  • Mutual TLS (mTLS): Enforce certificate-based authentication for trusted clients. For details, see Security and authentication.
2. Transport Layer security
  • Use TLS profiles to secure inbound and outbound traffic.
  • Support for TLS 1.3 ensures modern encryption standards.
  • Configure mutual authentication for extra security between client and gateway.
3. Threat Protection
  • Built-in DataPower Gateway provides:
    • DDoS protection
    • XML/JSON threat protection
    • SQL injection protection
  • Apply rate limiting and quota policies to prevent abuse.
4. Advanced API security
  • Integrate Noname advanced API security for:
    • API discovery and posture management
    • Runtime protection and active testing
    • Automated security testing in CI/CD pipelines.
5. Policy Enforcement
  • Use drag-and-drop policy editor in API Manager to apply:
    • OAuth
    • JWT validation
    • Client ID & Secret enforcement
    • Threat protection policies.
6. Monitoring and Auditing
  • Enable audit logs for API calls.
  • Use API Connect analytics for visibility into API usage and anomalies.