Sometimes we come across a requirement to expose your APIs to Third parties. Especially if you are developing a trading platform and your partners or aggregators need to access API to perform a sale or to do other critical tasks.
Now if a website is exposing APIs to third-party following points should be considered.
- API should have proper security (authentication/authorization) in place.
- API must be resilient and scalable.
- API should have access rate limitation – The last thing you want is, third-party accessing API results in affecting the performance of the whole application.
- A mechanism in place to register for API usage.
- API developer documentation for third-party developers.
- API should be cost-effective to run & maintain.
- API endpoints should be future-proofed.
- It’s not ideal but in reality, different aggregators might be on different versions of API.
- There should be extra cache in place so get requests would not hammer the database.
The obvious options
The obvious option is to expose services directly from Episerver like ServiceAPI. We can create a wrapper around existing ServiceAPI services and extend their functionality. These services can use the same authentication model as ServiceAPI services. However, there are few issues with this approach.
- Although Episerver WebApps hosted on DXP are scalable but based on 1 or 2 API we might have to scale-up whole application and that is very costly.
- By default, services are not rated limited. So extra development needed and that results in more time & cost.
- Extra development needed to register third-party developers and that results in more time & cost.
- Extra development needs for cache & API documentation for external developers.
- It’s difficult to maintain different versions of the same API.
Solution – The API Gateway
In my opinion, the best solution is to implement an API Management gateway. Azure API management is a scalable API gateway offering of Azure that serves as a reverse proxy for all your APIs. “API Gateway” in AWS (Amazon) and Google cloud are similar products.
Using API management you can
- One authentication for all your APIs so that this solution will be future-proofed.
- You can scale up/down even one API.
- You can integrate with Azure AD to authenticate and authorize API users.
- Response caching (External Radius caching also supported)
- Manage/define API usage quota per user and per service.
- Manage/define policies per user or per service.
- Painless documentation using Developer portal.
- you can maintain different versions of the same API.
Explore more about API Management & Microservices
In the next article, we will discuss how to configure API Management Gateway to use with the Episerver website.