What is API Governance?

As application programming interfaces (APIs) have become more common in enterprise architecture, there’s been a push for IT departments to implement API governance measures. This article examines API governance. It looks at how API governance works, along with its benefits, challenges, and best practices.

What is API governance? The short answer is that it’s a set of rules and practices that control how APIs are used—with the goal of ensuring security and compliance. A deeper answer is in order, however, if you want to understand why API governance is important and why the leaders of a corporation are insisting on it.

API governance is a subset of IT governance, which is a subset of corporate governance. The essence of corporate governance is that the owners of a business, the shareholders, want to make sure that their agents, the executives, have clear and sensible rules for how they run that business. At the risk of being coarse, corporate governance is the answer to the shareholder’s question, “What are you doing with my money?”

A corporation’s executives are custodians of the shareholder’s property. They need to demonstrate that they are being prudent with those assets. This is why, for example, a corporation usually has a rule that the board must approve certain investments, with the goal of minimizing risk to shareholder assets.

IT governance flows from this principle. It’s a formal framework that’s designed to ensure that IT investments support a corporation’s objectives while keeping risk to a minimum. In some cases, IT governance must adhere to government regulations like the Gramm–Leach–Bliley Act (GLBA) and the Sarbanes-Oxley Act (SOX).

API governance is part of this bigger picture. It is the practice of making all APIs subject to a common set of rules, standards, and security policies. This usually involves setting up standardized conventions for documentation as well as security mechanisms. For example, an API governance rule might specify that APIs need to use a common data model. There will be agreed-upon rules for versioning, integration, deprecating, and so forth, along with security policies like the use of OAuth and encryption in transit.

Benefits of API governance

API governance, assuming it is consistently and properly implemented, enables an organization to create, update and manage all APIs throughout their lifecycles. The standardization of development, documentation, version control, and security makes this possible. If there is a question about any of these focus areas, governance rules eliminate distracting debate and contradictory actions that impair the effectiveness and security of the API portfolio. The assumption is that all relevant stakeholders have come together to make decisions about governance collectively.

At a higher level, the benefits of API governance are about the realization of business strategies. For example, if a company’s competitive strategy involves integrating applications with a supply chain partner, then API governance is essential to making this strategy work as a practical reality.

Going further, API governance is a key success factor in adopting an “API First” strategy, wherein APIs are the basis for product creation. The assumption is that applications are going to be interacting with APIs one way or another. APIs are thus critical for achieving the right business outcomes and should “come first.” In an API-first organization, all stakeholders, from developers to designers and product managers, are aware of APIs even before they are created. Without API governance, this is a difficult goal to attain.

Challenges to API governance

API governance is not always easy. The same could be said for corporate and IT governance. Rules are not sexy, important as they may be. One challenge that organizations run into with API governance has to do with problems of scalability. It can be stressful to make API governance operative across an increasing number of diverse teams, from DevOps to security, IT infrastructure management, and so forth.

Difficulties with API governance also tend to arise when an application is changing or expanding its scope. Adding new API clients from different partners, for example, can make applying governance rules inconvenient—and tempt people to ignore them. But that’s exactly when they’re needed most. Without the rules and policies, APIs start to break, precisely what you don’t want to have happening as business is on a growth trajectory.

API governance best practices

API professionals have developed a number of API governance best practices over the years. These vary from place to place, but in general, the optimal approach to API governance will include the following:

• Setting up a centralized set of API governance rules that apply organization-wide — These may include coding standards like OpenAPI as well as consistent metadata fields to make APIs discoverable and reusable.
• Allowing exceptions to rules when necessary — It’s inevitable that on certain occasions the rules won’t work. The governance model should be flexible enough to handle such cases.
• Automating API governance checks — Making self-service API governance possible is empowering and effective for people who make and use APIs. It makes everyone more productive and reduces the likelihood of stakeholders working around governance rules.
• Establishing an information model for planning, designing, and building APIs — Known as a “canonical model” under the service-oriented architecture (SOA) paradigm, a unified model with approved model objects and resources is able to standardize enterprise information in predetermined structures. This helps make APIs governable.
• Applying governance across the full API lifecycle — through the phases of plan, design, build, test, and run. This helps with governance by ensuring that APIs will be standardized and reliable wherever they are in the lifecycle.
• Implementing rigorous API versioning — Version control is where API governance can break down. Governance rules need to apply to all versions of an API, and they need to be documented. Determining if a new API is backward compatible is a related process.
• Making sure that API governance rules are met before deploying an API — It’s not wise to deploy an ungoverned API. Keeping up with API governance rules means having APIs that are compliant, consistent and complete.

Conclusion

API governance is essential for success with APIs, and by extension, the far bigger strategic vision they represent—broad, flexible integration between diverse technologies and the ability to realize digital transformation. Yet, API governance is not always so simple to execute. Being successful requires following best practices and working on the organizational side of the equation. API governance may be about rules, but making it work takes people coming together to agree on how they are going to do things. As these factors coalesce, effective, consistent API governance can become a reality.