API Management

The Year Ahead in APIs

APIs have come a long way from the arcane geek-speak of software interfaces popularized by Win32 APIs (still among the most commonly searched API phrases). Today, APIs represent interfaces between businesses and large swaths of internal enterprise services and business units. APIs not only connect software to software but also help to create entire commercial ecosystems, and so have become integral parts of how enterprises conduct business.

Google Cloud's Apigee team has watched the API space evolve over the last decade or so, and we believe that the onwards and upwards march of “APIfication” within enterprises will take a few surprising and not-so-surprising twists and turns this year. Below are some of our predictions around the use and impact of APIs in 2019.

API standards

As APIs rapidly become the “contracts” between software systems within and outside of an enterprise, it seems natural that these contracts should get standardized. Shouldn’t there be one way to call an API to make a payment? Check a balance? Order a ticket? However, such standards have proven elusive because developers who write programs that call these APIs have largely been comfortable in tailoring their code to various API providers.

In 2019, we believe that the momentum will begin to shift toward greater API standardization in the following areas.

GraphQL

Hype surrounding GraphQL will accelerate, and GraphQL will be positioned as the first technology to solve the long-standing challenges around delivering reusable services and APIs. GraphQL will be most popular for first-party APIs that are intended to be used by mobile and single-page apps, although some API providers will also adopt it as an option, alongside conventional “REST-ish” APIs. We anticipate that as GraphQL’s popularity grows, there will be a vocal community that becomes highly critical of OpenAPI and argues that it is a legacy standard analogous to WSDL in the era of SOAP.

gRPC

We predict that gRPC will continue to see adoption in 2019 due to its importance within the Kubernetes ecosystem, and many microservices will be gRPC-based. Most APIs intended for third-party developers will continue to be REST-based, but API providers will start to offer gRPC as an option, particularly for high-throughput and low-latency scenarios.

APIs in industries: mandates, competition, and standards

For open banking and PSD2 adherence, financial services regulators have mandated APIs as a way to spur competition and foster innovation among banks. We expect to continue to see this trend sweep the globe as more countries require banks to give third-party providers access to customer information and the ability to initiate payments via APIs, and we expect to see regulators specify standards for these APIs.

While banks have little choice but to comply with these mandates, we’ve seen new industry-generated API specifications such as the Durable Data API (DDA) or the BIAN standards emerge. Banks are starting to view APIs as a way to compete in an increasingly digital world, instead of seeing them as simply a regulatory compliance issue.

We believe that in 2019, new banking API standards will emerge and will quickly gain traction because they are focused on helping banks acquire customers, lend more, and build software faster to compete in the API economy. We expect to see such standards emerge in other industries as well, presenting organizations with the challenge of deciding which standards to support.

There is a second trend that we believe will force the standards issue. APIs will increasingly be called by machines, which are often sitting behind web properties such as Google Search. These machines and these web properties will demand programmatic integrations, and this can only happen when some standards emerge. Schema.org is a good place for some of these standards to emerge (e.g., in parcel delivery), though others are entirely possible. We expect, in 2019, dozens of these specifications to emerge, often in the OpenAPI spec, which will give canonical call/response structures for various verticals.

The rise of machine and AI-driven API traffic

Today, most API traffic can be attributed to some human action. A consumer browses a product—a few API calls are made. A homeowner pays a utility bill—another few API calls. When traffic is machine generated, on the other hand, it can be malicious, comprising bots, or security breaches. We expect this to continue. Whether it’s for crypto-mining or for credential stealing, we expect APIs to continue to bear the burden of machine-driven traffic, which will burden backends unless the right security is built into APIs.

That said, we are beginning to see benign programmatic API calls, generated by algorithms or machine intelligence, take off. This is driven by several trends:

  1. The rise of voice applications Voice, in the end, needs to be heavily AI/ML driven—so a call such as “Pay my bill” needs to be understood as “Pay my utility bill from PG&E for the current month using my stored credit card.” Simple requests into the voice system result in hundreds of API calls at the backend, all driven by machine intelligence figuring things out.
  2. The rise of IoT and home automation At the recent CES conference, communicating devices were everywhere. They integrated with one another and with voice assistants through APIs, and through recipes such as IFTTT. With hundreds of thousands of different types of devices, bespoke integrations just do not work; APIs simplify the mix and match, though they don’t necessarily alleviate the need for some deeper business logic.
  3. AI going mainstream AI is only useful when it can be leveraged into applications. However, not every team, or every enterprise, has the capability to do AI from scratch. We will see API-driven AI, where one team, or one business, builds a very good model in some domain, and other teams leverage that work through APIs. These teams might build their own AI models, which, in turn, another team might leverage. We are already seeing examples of this—like Google’s AutoML for image and text analysis, but we expect this trend to accelerate.

API-driven ecosystems

We’ve noticed that enterprises have begun to understand the importance of developers. Of the top 100 domains (defined as those with the highest number of pages that appear in a sample of 10 billion domains on the web), 94% had some developer-facing property, and among those 94%, 100% were offering APIs in the Swagger framework or the OpenAPI spec.

Developer offerings will become more prevalent and more API-centric

While 94% of the top 100 domains offer something for developers, in the same sample, this number falls to 9.5% for the top one million domains. We expect this skew to become less pronounced as the importance of developers becomes well understood by a larger number of domains.

REST APIs will be specified by OpenAPI

We are already seeing a trend: OpenAPI specs (formerly known as Swagger) are becoming de jure standards for specifying APIs that enable developer self-service. Anecdotally, when we ask our customers if they use OpenAPI spec, the typical answer we get is, “of course!” In the analysis above, we only looked for Swagger or OpenAPI patterns, and even there, the percentage was very high.

API startups will proliferate

In the wake of Twilio and SendGrid, startups that provide infrastructure services via APIs will once again be considered viable investments for venture capitalists.

Microservices and APIs

While APIs that drive ecosystems and are visible to the public drive a lot of press, a much larger number of APIs are to be found internally within enterprises as interfaces between software systems and teams. Many of these APIs will be called “microservices,” even though they do not fit any serious definition of “micro.”

Envoy will be increasingly popular as the open source technology for APIs

With support from a lot of vendors, and with large enterprise implementations under its belt, Envoy is fast becoming the most popular choice for open source API gateways. We expect commercial offerings around Envoy continue to proliferate in 2019.

A majority of enterprises will view microservices as modernized SOA

Except for a small set of enterprises who are deep into cloud-native architectures, the majority of enterprises who say they are using microservices will in fact be using the term to describe internal APIs with lightweight governance. The result will be that microservices hype will increase considerably as vendors try to market their solutions to all possible microservices projects.

Microservices will continue to have lots of different recipes

Successful microservices architecture is complex to design, build, and manage. There is a lot of experimentation and iteration, but it is early days for microservices, and a proven recipe for success has yet to emerge. Key to realizing the promise and benefits of microservices architecture will be successfully designing and building reusable, decoupled services that deliver scalability and agility for the business, with the right level of governance and lifecycle management capabilities. The availability of appropriate tooling for supporting and debugging microservices architecture will be key to its success in the enterprise.

Security

APIs represent a way to access enterprise services. They are also therefore a convenient point of attack. While API vulnerabilities have garnered some attention, we believe that unsecured APIs will be a fresh vector of attack in 2019.

Breaches of APIs for crypto mining

The K8S API vulnerability has shown that using unsecured APIs as a vector for taking over container orchestration platforms can yield immediate financial gains. Every business that uses elastic cloud infrastructure can be a target for attacks that attempt to inject cryptomining code into their cloud workloads. This will catch many businesses who believe they haven’t put anything valuable in the cloud off guard when they find themselves paying for the compute bills generated by criminal crypto-miners.

Breaches because of poor API security

Developers have understood that their web sites are vulnerable to attacks, and the best practices for securing them have started to become more and more common. External APIs are still taking off, and the best practices are not that wide-spread. In 2019, we believe we’ll see at least three types of breaches due to poor API security. All API management vendors will have serious conversations about API abuse with all their top traffic customers. These abuses could include:

  • DDOS situations (high traffic rates) breaking API backends
  • Spam (APIs processing large amounts of junk content)
  • Credential abuse (Reusing credentials to break into protected APIs)

Summary

As APIs become mainstream, they offer an unprecedented opportunity to drive new business opportunities through ecosystems and new ways of rebooting enterprise architectures via microservices. APIs will support new formats, and some standardization will take root. Machine-driven API traffic (especially AI traffic) will become a new growth vector. Internal projects will leverage APIs, but dramatic new things will not happen. And security will need to be a continuous focus.

Happy 2019 from all of us in Google Cloud’s Apigee team!