API Complexity Is a Lie
How some businesses live off API complexity while others sell simplicity.
Anyone telling you that working with APIs is hard isn't telling the truth. What is hard isn't the API. It's all the tools, processes, and technical language surrounding it. Some businesses thrive by navigating this perceived complexity and feeding it. However, there are others who remove all the noise to convey solutions that are as simple as possible. Why is that?
This article is brought to you with the help of our supporter: Speakeasy.
Speakeasy provides you with the tools to craft truly developer-friendly integration experiences for your APIs: idiomatic, strongly typed, lightweight & customizable SDKs in 8+ languages, Terraform providers & always-in-sync docs. Increase API user adoption with friction-free integrations.
"If you're not a part of the solution, there's good money to be made in prolonging the problem." This quote fits what I believe is happening with some API tools now. Instead of providing solutions, many tools present themselves as a way to alleviate the existing problems. If those problems go away, there's no money to be made. So, many businesses thrive on incentivizing the growth of API complexity.
API security is one area where there's an incentive to prolong the problem. The longer companies have API security challenges, the longer security companies will be able to sell their products. According to Gartner's 2023 hype cycle for APIs, API security testing was at the top. Sitting at the so-called "peak of inflated expectations," API security companies will most surely enjoy two to five years until the industry matures. Today, though, API security testing is navigating Gartner's infamous "trough of disillusionment" showing that it's trying to become mature.
You can see the interest in API security companies in the amount of recent partnerships, acquisitions, and funding. Whether it's Akamai buying Noname, Traceable entering into a strategic agreement with AWS, F5 buying Wib, or startup funding such as LeakSignal's $1.6M, and P0's $6.5M. There's clearly money to be made in the API security area. Because it's an area that feels complex to handle, most decision-makers prefer to buy a "solution" than risk their reputation and be the target of an attack. In other words, what these companies sell is a painkiller that doesn't fix the security problem but, instead, provides a way to discover and mitigate it.
Another area where selling complexity works is API management. It first started as a mostly technical area where the goal was to make sure you could easily serve your API to consumers. Then, slowly, it permeated almost all areas related to building and maintaining APIs. Whenever one of the areas became easy to understand, new areas were added to API management products to make the whole problem space larger.
Suddenly you see products that want to do everything. And, in doing so, they make it look like APIs are complex and difficult to work with. Because otherwise, you wouldn't need those products, would you? Following these bloated products, you see a growth in consulting professionals. Their aim is to help you work with those products to manage and secure your APIs efficiently. Yes, those products become so complicated that you end up needing help from consultants. But it doesn't have to be that way.
On the other side of the spectrum, you see companies building what I like to call single-feature products. These are simple API products that offer one or a couple of very well-done features. These products have a clear value proposition and offer a real solution to an existing challenge. They're not painkillers. They exist to fix the problem that causes the pain.
One area where I've been seeing this "unbundling" and simplification happen is API gateways. If, years ago, API gateways used to be complicated pieces of software, now anyone with a minimum knowledge can use them. Most recent API gateway products aren't trying to sell more than what they need. They're not trying to expand their footprint in adjacent areas. Their goal is to make your life easy by removing any complexity related to exposing your API operations.
However, the product segment where I feel there's a strong will to offer simplicity is API documentation. We've come a long way since those days when we had to document APIs by hand. Now, API documentation is embedded into the design process. It's, in fact, a part of the design process. A well-designed API will benefit from automatically generated documentation. Most documentation products have been offering tools that do one thing well and get out of the way.
Also, the output of generated API documentation is becoming more simplified and user-friendly than it used to be. There's a specific interest in offering the best possible experience to API consumers. API producers and consumers are becoming sophisticated and expect documentation products to deliver results. I've been sharing my thoughts on what good API documentation should be. I must say that this new wave of products I'm seeing provides all the elements you need to offer good documentation.
So, why are some companies betting on complexity while others pick simplicity as their moat? I think it has to do with the target personas of the product they're building. Whenever a product targets the API producer, features tend to be more complex. The product itself tends to aggravate the difficulty in dealing with API processes, while not wanting to change the status quo too much. Products targeting API consumers—or the direct relationship between them and the producers—tend to rely on simplicity and challenge the existing state of things.
I believe companies that are feeding on API complexity will have to change at some point. There will be new products unbundling what those more complex ones are offering. Those new products will offer a more simplistic approach to common challenges, instead of exacerbating them. What is now commonly seen as complex will become obviously simple. API complexity isn't real. Some companies want you to believe that way so you keep buying their products.
Sure getting started with unsecured apis is EASY. Getting a single endpoint up on single threaded unsecured on overly priced tooling is simple. But then you have to secure it:
- cors
-jwt
-oauth
-sessions
-tokens management
-user management
-caching
-rate limiting
-rule syncronization
-internal/external redirection with rule syncronation
-etc etc
All fairly easy and simple for those who don't want their databases mined and their websites hacked.
I appreciate the clarity in your posts! They inspire me to leverage tools that improve the API debugging experience. EchoAPI has become my go-to solution for that very reason.