{ Community }
  • Academy
  • Docs
  • Developers
  • Resources
    • Community Articles
    • Apigee on GitHub
    • Code Samples
    • Videos & eBooks
    • Accelerator Methodology
  • Support
  • Ask a Question
  • Spaces
    • Product Announcements
    • General
    • Edge/API Management
    • Developer Portal (Drupal-based)
    • Developer Portal (Integrated)
    • API Design
    • APIM on Istio
    • Extensions
    • Business of APIs
    • Academy/Certification
    • Adapter for Envoy
    • Analytics
    • Events
    • Hybrid
    • Integration (AWS, PCF, Etc.)
    • Microgateway
    • Monetization
    • Private Cloud Deployment
    • 日本語コミュニティ
    • Insights
    • IoT Apigee Link
    • BaaS/Usergrid
    • BaaS Transition/Migration
    • Apigee-127
    • New Customers
    • Topics
    • Questions
    • Articles
    • Ideas
    • Leaderboard
    • Badges
  • Log in
  • Sign up

Get answers, ideas, and support from the Apigee Community

  • Home /
  • Business of APIs /
avatar image
1

API Governance Reference  

  • Export to PDF
davissean   created · Sep 03, 2020 at 06:53 AM · 562 Views · edited · Sep 03, 2020 at 08:21 AM

When an organization looks to scale its API Program, it often introduces the need for stricter governance. This ensures quality and consistency across teams. Here is an example of a Governance Summary that may be used on an API Program.

API Design Standards

  • Pragmatic REST API Design
  • Consistent API Versioning - /grouping/v2
  • JSON payload format as standard
  • Consistent Error Format
  • Reuse APIs proxies and policies where possible
  • Consistent Naming Conventions

Security Standards

  • All APIs should be protected with OAuth 2.0
  • Communication between API Proxies and backend services should be protected with Mutual TLS
  • IP allowlisting should be implemented between Apigee and the Target Systems
  • A centralised Identity Provider will be used for all API token issuance

Software Development Lifecycle

  • All code should be stored in source control and use GitLab flow branching strategy
  • Code can only be deployed using Continuous Integration in all environments except dev
  • Complex custom code should be unit tested using JUnit for Java and Mocha for JS.
  • All APIs should be integration tested, with apickli as the recommended library.
  • Releases should progress through each of the Organization and Environment stages
    • Development
    • Integration
    • Performance Benchmarking
    • User Acceptance Testing
    • Preproduction
    • Sandbox
    • Production

Common Proxy Functions

  • Proxies should be created from a central Proxy Template
  • Common functions like logging, token validation and error handling should reuse central Shared Flows

API Specification

  • All APIs should be documented as OpenAPI Specifications
  • Mocks can be derived from OpenAPI Specifications
  • Developer Documentation can be derived from OpenAPI Specifications

Maintenance and Support

  • SLAs should consider the SLAs of downstream services
  • Deprecated API versions will be supported for 6 months from deprecation
  • API Status must be communicated through the Developer Portal
  • API Support is provided by the Support team using their standard practices

API Monitoring

  • All APIs will be monitoring using centralised monitoring tools
  • All APIs should implement /ping and /status API endpoints

Logging and Analytics

  • All APIs should log to a centralised logging system
  • Log format should be consistent and contain the minimum standard fields
  • All APIs should provided consistent Analytics

Role-Based Access Control

  • Developers should have access to all functionality in the nonprod organization
  • Operations should have access to all functionality in the prod organization
  • Business users should have access to Analytics in all environments
  • Continuous Integration service accounts should have access to only deploy in all environments

Developer Engagement

  • All API documentation will be published on a central Developer Portal
  • Clients must onboard to use APIs via the central Developer Portal
  • API sandboxes must be available for consumption by the Developer Portal
  • Internal APIs can be privately published to restrict availability to internal users

Delivery Methodology

  • Development teams should prefer iterative over waterfall methodologies.
  • APIs should be treated as Products and not only technical assets

Team Structure

  • A Virtual API team as described here

Execution

  • The Platform team will decide between Policeman, Teacher and Referee for any breaches of the guidelines
  • Scrum development methodology will be used, with a Product Owner as a full time member of the API team
thub.nodes.view.add-new-comment
api governance
Add comment Show 1
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Dino-at-Google ♦♦   · Sep 03, 2020 at 11:46 PM 0
Link

Super helpful, Sean, thank you!

Article

Contributors

avatar image

Follow this article

74 People are following this .

avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image

Navigation

API Governance Reference

Related Articles

API Governance tooling approaches - How do I automate my API program governance?

  • Products
    • Edge - APIs
    • Insights - Big Data
    • Plans
  • Developers
    • Overview
    • Documentation
  • Resources
    • Overview
    • Blog
    • Apigee Institute
    • Academy
    • Documentation
  • Company
    • Overview
    • Press
    • Customers
    • Partners
    • Team
    • Events
    • Careers
    • Contact Us
  • Support
    • Support Overview
    • Documentation
    • Status
    • Edge Support Portal
    • Privacy Policy
    • Terms & Conditions
© 2021 Apigee Corp. All rights reserved. - Apigee Community Terms of Use - Powered by AnswerHub
  • Anonymous
  • Sign in
  • Create
  • Ask a question
  • Create an article
  • Post an idea
  • Spaces
  • Product Announcements
  • General
  • Edge/API Management
  • Developer Portal (Drupal-based)
  • Developer Portal (Integrated)
  • API Design
  • APIM on Istio
  • Extensions
  • Business of APIs
  • Academy/Certification
  • Adapter for Envoy
  • Analytics
  • Events
  • Hybrid
  • Integration (AWS, PCF, Etc.)
  • Microgateway
  • Monetization
  • Private Cloud Deployment
  • 日本語コミュニティ
  • Insights
  • IoT Apigee Link
  • BaaS/Usergrid
  • BaaS Transition/Migration
  • Apigee-127
  • New Customers
  • Explore
  • Topics
  • Questions
  • Articles
  • Ideas
  • Badges