Several questions about Apigee features

anton
Participant V

Hello,

We're leaning towards choosing Apigee as our API gateway and I have a few questions to complete the picture:

  1. Does Apigee allow at attach our own ID string to a developer who signs up and getting it later along with the parameters of each API call? It's a very important feature for us.
  2. We have our Terms of Service which each Developer who signs up has to accept as a "click through", basically check a box that he or she agrees to the ToS. Is this possible in the Apigee dev portal?
  3. How can we extract the data stats collected by Apigee for our own BI system?
  4. I recall that the data retention is 90 days, and I assume that after that the data is archived or deleted. Correct?
  5. About data retention again - what kind of data is deleted after the retention period ends?
  6. How can we ensure in our API target endpoint that it's the Apigee proxy that's calling us and not some imposer?

Thanks in advance,

Anton.

Solved Solved
1 15 769
1 ACCEPTED SOLUTION

@Anton+Bar , Great Questions once again, Please find answers below,

Does Apigee allow at attach our own ID string to a developer who signs up and getting it later along with the parameters of each API call?

  • Yes, It's possible & available out of the box. It's one of the most common feature used in building APIs. You can define developer attributes in Apigee Drupal based Developer Portal. As an administrator you can assign values / expose as a field to the developer as a self service thing in the registration form / auto generate using custom algorithm. These attributes will be saved in Apigee Edge Cassandra & will be available in API runtime when developer creates an App & Calls the API using keys or tokens.
  • You can retrieve developer attributes in run time using Access Entity Policy or It will be available automatically as flow variables if you use policy like verify key or token.

We have our Terms of Service which each Developer who signs up has to accept as a "click through", basically check a box that he or she agrees to the ToS. Is this possible in the Apigee dev portal?

  • Yes, It's available as out of the box feature in Apigee Developer Portal.
  • You need to enable "legal" module in Apigee Dev Portal to configure same.
  • For example, http://dev-4mv4d.devportal.apigee.io/ , Click on Register , See the T & C checkbox.

How can we extract the data stats collected by Apigee for our own BI system?


I recall that the data retention is 90 days, and I assume that after that the data is archived or deleted. Correct?

That's correct. But, You can take the backup to your own systems using the Apigee Analytics APIs. If it's on-premise , Basically you manage the data & retention.

About data retention again - what kind of data is deleted after the retention period ends?


  • It's only Apigee API Analytics data. It won't have any impact on runtime of APIs.

How can we ensure in our API target endpoint that it's the Apigee proxy that's calling us and not some imposer?

  • You will implement last mile security in Apigee Edge. Apigee recommends Mutual 2 way SSL where you install certificates on Apigee & Target so that only Apigee can call your targets.

Hope it helps. Keep us posted if any.

View solution in original post

15 REPLIES 15

@Dino - thought you might be interested in this one

@Anton+Bar , Great Questions once again, Please find answers below,

Does Apigee allow at attach our own ID string to a developer who signs up and getting it later along with the parameters of each API call?

  • Yes, It's possible & available out of the box. It's one of the most common feature used in building APIs. You can define developer attributes in Apigee Drupal based Developer Portal. As an administrator you can assign values / expose as a field to the developer as a self service thing in the registration form / auto generate using custom algorithm. These attributes will be saved in Apigee Edge Cassandra & will be available in API runtime when developer creates an App & Calls the API using keys or tokens.
  • You can retrieve developer attributes in run time using Access Entity Policy or It will be available automatically as flow variables if you use policy like verify key or token.

We have our Terms of Service which each Developer who signs up has to accept as a "click through", basically check a box that he or she agrees to the ToS. Is this possible in the Apigee dev portal?

  • Yes, It's available as out of the box feature in Apigee Developer Portal.
  • You need to enable "legal" module in Apigee Dev Portal to configure same.
  • For example, http://dev-4mv4d.devportal.apigee.io/ , Click on Register , See the T & C checkbox.

How can we extract the data stats collected by Apigee for our own BI system?


I recall that the data retention is 90 days, and I assume that after that the data is archived or deleted. Correct?

That's correct. But, You can take the backup to your own systems using the Apigee Analytics APIs. If it's on-premise , Basically you manage the data & retention.

About data retention again - what kind of data is deleted after the retention period ends?


  • It's only Apigee API Analytics data. It won't have any impact on runtime of APIs.

How can we ensure in our API target endpoint that it's the Apigee proxy that's calling us and not some imposer?

  • You will implement last mile security in Apigee Edge. Apigee recommends Mutual 2 way SSL where you install certificates on Apigee & Target so that only Apigee can call your targets.

Hope it helps. Keep us posted if any.

Where can I find documentation on the first feature on this list - keeping and passing on the developer ID string?

Wow, I'm not sure there's a whole lot of documentation on the developer ID. Apigee Edge manages several kinds of "entities" to support secure access to APIs. These entities are:

  • Developers
  • Developer apps
  • API Products

Each entity, when created, implicitly gets a unique "id".

The normal course of action is:

  1. a human registers on the developer portal. This creates a "Developer" entity in Apigee Edge with the demographic information collected from the registration form. At a minimum, it would be Firstname, Lastname, email. But you could extend this to include other information as Anil mentioned. The developer entity gets assigned a unique ID. Let's say, 123456.
  2. In the developer portal, the developer peruses the API catalog (catalog of API Products), and then requests a key for access to an API Product. If the administrator allows this, then a new developer app is created, mapping that developer to that API Product. The developer app also implicitly gets "credentials" , which is a client id + secret. The developer app also implicitly gets assigned a unique "ID". Maybe in this case it is 78787.
  3. The developer builds a working app and then sends an API request with the credentials. Apigee Edge verifies the credentials and implicitly retrieves the developer app id (78787), and the developer id (123456), as well as the other data associated to the developer. This way, the smart proxy running in Apigee Edge can make decisions based on the developer, or the developer app. A proxy could even do a lookup using either of those IDs in an external third-party PDP (policy decision point) to determine if the app should be allowed to perform the action it is requesting.

Does this make sense?

Does it answer your question regarding "keeping and passing on" the developer ID? If not, what do you mean by "passing on" ?

@Dino , I believe @Anton+Bar is talking about Developer Custom Attributes. For example, Let's say i have a internal team member who is consuming APIs. Every team member will have an internal Id. They might need to access this in run time for various purposes.

  • Internal Team Member registers in developer portal & provides his id in registration form in Developer Portal.
  • We will capture this information using Developer Attributes in developer portal.
  • This information gets associated with Developer Entity in Apigee Edge.
  • In API run time, This info will be fetched based on the key / token related to Developer App -> Developer -> Developer Attributes using Access Entity Policy or Out of the box auto populated flow variables.

@Anton+Bar , Am i right ?

Yes @Anil Sagar, you are right, that's exactly what I mean. We need to get something that identifies the application that calls our Target Endpoint. This is because some partners that use our API's get results that are different than the rest.

Let me take a step back - Freightos.com is a marketplace for instant quotes for international door-to-door freight. Everyone can sign up and search for quotes, however larger partners that have private rates on some routers can import them to the marketplace and get them when someone searches for rates on through their software. These rates are private and should not be available to anyone else.

This is why we need to identify the application / developer that calls our API.
Actually identifying an application is even better because the same developer could have different applications pulling different rates.

As you see, this feature is critical for our workflow.

Possible? Thoughts?

@Anton+Bar , Absolutely possible, You can have App Attributes similar to Developer Attributes. You can use these Attributes in API runtime & implement business logic.

For example,

  • I will create a new Developer Attribute called - Partner Type in Developer Portal.

5368-apigee-portal-silver.png

  • You can define who will provide this information. For example, End user as a self service / portal admin - approval workflow.
  • When user get's created, Developer Attribute - Partner Type default value is set to public-developer.
  • Above attribute will get associated with Developer Entity in Apigee Edge.

5369-apigee-edge-silver.png

  • Admin can moderate the developers & set / update the Partner Type attribute to something else. Let's say silver-partner

When silver partner creates an app & access API /hello he will get response like ,

{
  "hello": "world", 
  "premiumcontent1": "secretdeal1",
  "premiumcontent2": "secretdeal2",
}

When Public Developer creates an app & access API /hello he will get response like,

{  "hello": "world"}

I have created a sample poc for you where you can play with same. Too see it in action. Follow below steps.

5370-openapp1.png

  • Get the consumer key & make below API call with updated key in query param,

5371-openapp1key.png

http://apigee4mv4d-test.apigee.net/v1/hellomock?apikey=YOURKEYHERE

You should see,

{
  "hello": "world"
}

Now,

  • Logout, Create another user called partner_xyz
  • Once logged in , Goto Edit Profile, Change the Partner type to , Silver / Gold

5372-screen-shot-2017-07-27-at-23059-pm.png

http://apigee4mv4d-test.apigee.net/v1/hellomock?apikey=YOURKEYHERE

You should see response like,

{
  "hello": "world",
  "premiumcontent1": "secretdeal1",
  "premiumcontent2": "secretdeal2"
}

As you can see, Same API different response based on Developer Type.

API Proxy Screenshot, See verify api key, Access Entity policies in request & assign message policies with conditions that sends above response based on the attribute value.

Hope it helps. Keep us posted if any.

@Anil Sagar, can you pls post a Access Entity policy XML that gets an app value called "partner-id" and add it to the query parameters received by the target endpoint? I read all the docs you have and am still at lost on this one...

Actually I managed to get it through the verification as you previously suggested. The Trace feature is very helpful. Here's how I did it:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="Set-Partner-ID">
    <DisplayName>Set Partner ID</DisplayName>
    <Properties/>
    <Copy source="request">
        <Headers/>
        <QueryParams/>
        <FormParams/>
        <Payload/>
        <Verb/>
        <StatusCode/>
        <ReasonPhrase/>
        <Path/>
    </Copy>
    <Add>
        <Headers>
            <Header name="freightos-partner-id">{verifyapikey.verify-api-key.freightos-partner-id}</Header>
        </Headers>
    </Add>
    <Set>
        <Headers/>
        <QueryParams/>
        <FormParams/>
        <!-- <Verb>GET</Verb> -->
        <Path/>
    </Set>
    <AssignVariable>
        <Name>name</Name>
        <Value/>
        <Ref/>
    </AssignVariable>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
    <AssignTo createNew="false" transport="http" type="request"/>
</AssignMessage>

@Anton+Bar , You don't need to use Access Entity policy to retrieve app attributes. When you verify App key using verify API key policy, App Attributes are automatically populated by Apigee. They are available as flow variables. You can use same & send it to target using Assign Message Policy. For developer attributes, You need to use Access Entity Policy if you would like to retrieve the developer attributes.

Assign Message Policy that adds partner-id to target,

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="AddQueryParamTarget">
    <DisplayName>AddQueryParamTarget</DisplayName>
    <Properties/>
    <Set>
        <QueryParams>
            <QueryParam name="partner-id">{verifyapikey.Verify-API-Key-1.partner-id}</QueryParam>
        </QueryParams>
    </Set>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
    <AssignTo createNew="false" transport="http" type="request"/>
</AssignMessage>

I have created a proxy that has Verify API key in request that takes the key verifies it, When it happens apigee auto generates the flow variables that includes app attributes. I am using same in Assign Message Policy to add it to request that will be sent to target.

You can see same in action by following below steps,

1. Create an account in developer portal here,

http://dev-4mv4d.devportal.apigee.io/user/register

2. Create an App

http://dev-4mv4d.devportal.apigee.io/user/me/apps/add

3. Provide Partner Id (App Attribute) of your choice & Select Product as helloMock

5388-app-partner-od.png

4 . See the app details, Get the app key,

5389-consumer-key.png

5. Make API call to proxy, Replace the api key from the app consumerkey

http://apigee4mv4d-test.apigee.net/v1/hellomock?apikey=6FGWRwqpCzocluH578qD1eFnq3DjPvBm

6. See response, Query Params, I am using httpbin.org/get as target which sends back the request. Notice args, It has partner-id that developer has given while creating the app.

5390-result-apigee.png

See attached proxy for your reference,

hellomock-rev4-2017-07-30.zip

Proxy Trace ,

5394-apigee-trace.png

Hope it helps.

Another followup question @Anil Sagar- how do I enable the Legal module? I don't see any modules in the Admin site...

@Anton+Bar , Do you have access to Apigee Drupal based Developer Portal ? OOB, It looks something like site here, dev-4mv4d.devportal.apigee.io . By default, It's not available for trial users.

Believe me, Apigee is just not about building APIs / Managing APIs like transformation, mediation, traffic management like above. We believe API Gateway is a commodity already though Apigee API Gateway is very powerful & has many out of the box features.

Apigee value comes with End to End visibility using Analytics, Handling billions of API calls with SLA's like 99.999%, Developer Services which provides flexibility & on boarding partners within matter of hours using self service portal powered by famous open source CMS Drupal, Scaling your APIs using Apigee Edge powerful cache features, API SmartDocs Documentation and many more. Just FYI, 60% of Top World Global Retailers API traffic is powered by Apigee & We handle thousands of TPS, Billions of API calls every day on cloud including events like Black Friday.

Many see API Management as API Gateway, But, We see it as Digital Transformation value chain that connects End User -> App -> Developer -> APIs -> API Team -> Backend & Apigee offers capabilities that helps you achieve same using API Services, Analytics Services, Developer Services, Monetization Services.

anton
Participant V

Another followup question - how do I enable the Legal module? I don't see any modules in the Admin site...

@jwyatt FYI