API Governance Delivers Quality
The ultimate purpose of API Governance is to improve the quality of what it governs.
Effective governance provides the foundation for establishing, maintaining, and improving API quality. What is the relationship between API Governance and quality? How can you influence API producers to follow governance rules to achieve high quality? Read on to see my perspective on how to apply governance by focusing first on quality.
This article is brought to you with the help of our supporter: Speakeasy.
Speakeasy provides you with the tools to craft truly developer-friendly integration experiences for your APIs: idiomatic, strongly typed, lightweight & customizable SDKs in 8+ languages, Terraform providers & always-in-sync docs. Increase API user adoption with friction-free integrations.
The main goals of API Governance are related to consistency, standardization, security, compliance, performance, agility, and alignment with business goals. Let's look at each individually to understand better how they affect an API's quality.
Consistency is the thing about API Governance that most of you are familiar with. API consistency means that all the APIs an organization builds are designed following a set of standards. These include among other things naming conventions, payload formats, and how to deliver and maintain API versions. This area of API Governance is quite popular because it's related to linting, the action of checking if an API design follows whatever rules are in place. As I see it, linting became popular with the usage growth of tools like Spectral.
The second area I mentioned, security, deals with the ability to protect your API and the data it manipulates from unwanted access. To do that you can run a series of security tests that verify how well your API performs. You can use three types of security-related tests: static (SAST), dynamic (DAST), and fuzzing. It's a combination of these types of tests that will determine whether or not you can consider your API secure. In particular, you can use the popular OWASP API Security Top 10 list of vulnerabilities as your point of reference.
Speaking of popularity, another area gaining adoption is compliance. Being compliant is often necessary if you operate in markets such as banking or healthcare. As I wrote in the book "Building an API Product," "without good care, you can run into situations where you fail to comply with regulations and might run into legal complications." The two most well-known regulations are the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA).
Even though less obvious, the relationship between API Governance and performance is critical. In the same way you can test your API for common security-related concerns, you can verify if your API is designed and implemented in a way that makes it performant. And by performance I mean the low latency and response time of every operation the API performs.
Agility, another goal of API Governance, has to do with the ability to innovate without creating challenges for consumers. You can achieve that with a well-planned API lifecycle management including thought-out versioning and change management. The goal is to make sure consumers don't have to make changes on their end to keep using your API.
Finally, aligning your API operations with the goals of your business is something API Governance also deals with. In many cases, the interest is in controlling the costs associated with operating the API. However, there's a growing trend, especially when monetization is in place, to explore the API revenue to grow the business as a whole. There are other areas where business goals need alignment from the API such as regulatory compliance. In this case, companies need to ensure APIs are fully compliant with any internal or external regulations they adhere to.
So, what do these topics have to do with API quality? How can governance influence the perceived quality of an API? To understand the connection let's see what API quality means to me.
I see quality as something hard to define from the perspective of the producer. Instead, it's something that depends on who the consumer is. Different consumers give importance to different aspects of an API and see quality in different ways. Some consumers look for performance when they interact with an API. Others give more importance to how easy it is to create an integration. Clearly, there's no way to define API Quality as a single metric. Instead, you probably need a combination of metrics to be able to define the quality of your API.
And, those metrics are related to the goals of API Governance I identified previously. Achieving the quality you desire for your API depends on the perception consumers have. And that perception depends on the success of metrics that depend on how well your API is governed.
This is the relationship between API Governance and quality. If API Governance succeeds, you'll have good consistency, standardization, security, compliance, performance, agility, and alignment with business goals. These, in turn, translate into a perception of quality among the variety of stakeholders who interact with your API.
This relationship makes me think that the best approach to managing API Governance is not to ask people to follow rules blindly. Instead, it's better to start from the end goal of having the best possible API quality. By identifying the metrics that matter to achieve quality, you can come up with a set of governance principles that motivate the people who build the API. Sometimes it's better to start from the end goal to explain what is needed, instead of forcing rules and policies that are often misunderstood.