What is an API ecosystem?

A focus on the API ecosystem is useful both as part of an organization’s digital transformation and in the formation of API strategy and API-first business models. By building with the API ecosystem as the center of focus, rather than merely the API itself, organizations can create strategic and business advantages, including better developer and customer experiences, reduced API sprawl, greater IT security and improved application development efficiency.

The key components of an API ecosystem can generally be divided into three main categories: technologies (APIs and associated infrastructure), people (providers, consumers and community), and governance (standards, policies, support systems and assets.)

There are several different components of an API ecosystem’s technical infrastructure, all connecting in various ways like a spider’s web. The APIs themselves are the radial threads connecting parts of the web together, while API gateways, databases, applications and services and other infrastructure forms intersections, hubs and frames of the web.

An API is a set of rules or protocols that enables software programs to communicate with each other to exchange data, features and functionality. APIs enable application owners to simply and securely make their data and services available to both internal and external consumers.

APIs are increasingly vital to enterprise users today; enterprises have, on average, over 600 API endpoints in production, and entire businesses began as APIs, including payment processing companies, email data enrichment companies and financial services companies.  

An API gateway is a software layer that presents a single entry point for clients (such as web or mobile applications) to access multiple backend services, while simultaneously managing client/server interactions.

API gateways receive an API call, sometimes known as an API request, and route it to one or more backend services, depending on the nature of the request. The gateway then compiles the requested data and returns it to the client in a single response. Gateways enable clients to query multiple resources in a single call, rather than having to query several endpoints with several calls.

For example, an API gateway orchestrating services in a healthcare system might enable a user-facing application to pull data from multiple resources—such as a patient’s medical records, payment history and current scheduling—with a single API call.

API gateways also centralize other critical tasks, such as:

• Load balancing: distributing traffic to prevent overloading any single server.
  
  
• Rate limiting: restricting the number of requests per user to reduce the risk for certain types of attacks, such as distributed denial of service attacks (DDoS attacks), which rely on an excess of traffic to overwhelm security protocols.
  
  
• Authentication: using verification methods and protocols such as OAuth (Open Authorization) to assign access tokens, enabling temporary and specific access.

Databases are an integral part of an API ecosystem—they store the raw data that applications need to function. APIs serve as an intermediary and thus enable applications to interact with databases in a stable and secure way. APIs provide the interface that let applications perform operations—such as create, read, update or delete (CRUD)—in the database.

APIs also provide a layer of security by authenticating and validating access to help ensure that resources can be accessed only by clients authorized to do so. And APIs bring interoperability to the system, enabling applications written in different programming languages or built on different platforms to access the same databases.

Applications are the technological front end of the entire API ecosystem; it’s applications, such as mobile apps, web apps or desktop software, that a user, whether digital or human, interacts with (rather than the API itself).

Within the application, a user might select an action that requires the application to reach an external source for data or services to complete the action. This exchange is completed through the API. A request, often referred to as an API call or query, is sent to the API, which routes the request to the back end service responsible for the requested resource. The requested data is then returned to the client through the API.

Microservices, or a microservice architecture, is an approach to application-building that breaks down an application into many different independent services that can be built and operated separately. Microservices is not “small services,” but an architectural approach to integrating many services in one application. Microservices are useful for their flexibility, enabling services to be scaled and reused independently.

These services all work together, often communicating through APIs or through a service mesh. APIs are also used to connect microservices to external applications and systems, enabling interoperability and seamless integration.

In many cases, an API gateway is used in front of these services to field incoming API requests, route them to the appropriate service (or services) and return the answer to the client in one comprehensive response.

Continuous integration/continuous delivery (CI/CD) pipelines are part of the ecosystem because these pipelines are often used to develop, deploy and update APIs.

A CI/CD pipeline is a workflow that automates the process of writing, integrating, testing and deploying code. Developers can independently write code, tracking changes with tools like Git, and the code moves automatically through the pipeline for testing and validation. The validated code is then integrated into test environments or repositories like GitHub. The CI/CD pipeline is a way to reduce API or software development time, decrease costs, detect errors early and improve team collaboration.

The CI/CD pipeline is not visible to the end user; it is a common methodology used to move code from development to deployment and continually improve software and APIs through regular updates.

The developer portal is a hub containing everything that a developer might need to understand, use, integrate and optimize APIs. It is a fundamental part of the overall API ecosystem. A developer portal typically includes most or all of the following:

• API documentation: A repository of all API endpoints, HTTP methods and request parameters, error codes, request and response examples, authentication credentials and other information about the API.
  
  
• Guides and tutorials: A selection of helpful documents for getting started, often including examples and best practices.
  
  
• Interactive tools: A playground or sandbox in which developers can try out the API without having to write any code.
  
  
• Analytics: A dashboard for developers to track their API usage, including call volume, response times, rate limits, usage quotas and other metrics.
  
  
• Support: A selection of useful documents such as FAQs, change logs, white papers, webinars, release notes and contact information.

API management platforms are like the internal-facing version of the external-facing developer portal. An API management system offers controls for teams responsible for API oversight, with tools for deploying and sunsetting throughout the API lifecycle, managing traffic, tracking errors, enforcing security and governance policies and, often, managing billing and subscriptions.

The human element of the API ecosystem can also be split into three groups:

The API providers are the people and teams responsible for creating and publishing the APIs at the core of the ecosystem. They might include:

• Developers who choose frameworks, write the code, create, configure and build API endpoints, and find and repair bugs, among other tasks.
  
  
• Product managers who direct the API development team, asking and answering the big questions, such as, “Who is this for?” “What should this do?” “How does this fit into our existing IT environment?” and “What features must it have?” API product managers often manage partnerships and operate as liaisons between the developers and other stakeholders.
  
  
• DevOps engineers who help build and automate continuous integration/continuous delivery (CI/CD) pipelines, automated DevOps workflows used to streamline API delivery, testing and optimization.
  
  
• Security engineers who specialize in protection against data breaches and other security threats. APIs are designed to expose data, albeit in a limited way, which makes them a common vector for attack. API security engineers play a vital role in securing APIs and the applications and systems that they connect.

These are the developers using APIs to integrate applications and systems and build new products and services. API consumers are a crucial part of the ecosystem—after all, it’s this cohort that the API is designed to serve.

Consumers can be internal, part of the same organization that provides the API, external with limited access, or public consumers with full access. API design and documentation might differ depending on who the intended user is.

For example, a more self-explanatory user experience can be beneficial to a public API, as the provider organization might prefer to reduce the need for extensive troubleshooting and support.

Especially for public APIs, the community—a broader group that comprises consumers and other stakeholders—can be a vital part of the overall API ecosystem. The community typically consists of internal developers, open source contributors and hobbyists, business partners and everyday users of the applications that rely on the API to access data or services. The community can play a role in improving and innovating an API by:

• Creating or discovering new use cases for an API
  
  
• Monitoring, finding bugs, errors or opportunities for improvement
  
  
• Creating an ad-hoc system of support and documentation on platforms such as Reddit, Stack Overflow and GitHub
  
  
• Helping cement and perpetuate best practices and other standards
  
  
• Promoting an API to other developers, users and customers

API governance refers to the standards, policies and practices that direct how an organization develops, deploys and uses its APIs. The goal of creating API governance is to promote consistency, reliability, security and efficiency.

API governance might include style guides, security policies, naming conventions, versioning strategies, quality standards, incident and disaster response policies and more. For many industries, including healthcare, governance also includes legal compliance decisions, such as HIPAA requirements or other industry- or region-specific regulations.

A successful API ecosystem delivers significant benefits for both enterprises and developers:

• Faster innovation: Companies can build on existing services, accelerating time-to-market for new products.
  
  
• Extended reach: Third-party developers create integrations that introduce enterprise services to new platforms and users.
  
  
• API sprawl mitigation: Organized API libraries and accompanying documentation help teams to find and use existing services, preventing the creation of redundant services and APIs.
  
  
• Business value and monetization: APIs can become profit generators through usage fees, premium tiers, or by driving adoption of core products.
  
  
• Increased security: An effective API ecosystem maintains consistent enforcement of API security standards and protocols, such as the use of OAuth. Strong ecosystem management helps reduce the creation of shadow APIs—ad-hoc APIs built without the consideration or even acknowledgment of IT teams.
  
  
• Competitive moats and network effects: The integration of enterprise APIs by external developers drives switching costs and creates stickiness and lock-in effects. The more developers build on a platform, the more valuable the platform becomes, creating a self-reinforcing cycle that’s difficult for competitors to overcome.

• Reduced complexity: Access sophisticated functionality through simple interfaces without deep domain expertise.
  
  
• Focus on differentiation: Focus on creating unique features rather than commodity infrastructure.
  
  
• Composability: Leverage services from different providers to create new, innovative applications.
  
  
• Career flexibility: Transfer skills with popular APIs across companies and projects.