API Management

Our API Management platform, DigitMarket^TM API Manager (DM-APIM) is a complete package to help manage your APIs and turn them into tools that propel your business forward. It has four components that work in unison to provide the following basic runtime functionality:

The API Publisher Portal

This portal allows API publishers to configure the APIs, API packs, usage plans, usage policies, etc. Key features include:

• Create secure API proxies
• Create API packs from multiple APIs
• Advanced Policy library with the facility to share policies across multiple APIs
• Workflow/approval cycles on policy lifecycle
• Configure transformations at API and resource levels
• Ability to create multiple usage plans with a different set of runtime policies for each plan. For instance, Basic, Gold, Silver, Platinum, etc.
• Ability to selectively deploy and manage plans on different gateway runtime instances from a single screen
• Near-real-time statistics visualization
• Advanced and highly granular role-based access control for all features - API visibility, management, publishing, and consuming

The API Developer Portal

The Developer Portal helps developers discover, explore, try out and subscribe to the publishers’ APIs. The publisher can tailor the appearance of the developer portal as per their needs. Key features include:

• Developer self-registration
• Ability to search and navigate the API developer portal with the same user experience of an online store; with a clear listing of most popular APIs, What's new, API price, description, etc.
• Facility to manage the subscriptions through an easy-to-use interface
• The ability for internal and external developers and API providers to quickly view statistics of their API usage
• Facility for API providers to easily expose/create APIs by proxying existing endpoints and attaching policy templates
• Help/support ticket system built-in for API developers to report issues, bugs, etc.

The API Gateway

The API gateway enforces the policies defined by the publishers, validates the subscriptions, collects metrics, and enforces quotas. It is configured and managed using the publisher portal. No coding or customization is required. Key features include:

• The event-driven paradigm used to implement the API gateway, easily achieving high concurrencies
• Policy enforcement (details of each policy is described in our answer to the next question)
• Cluster-wide policy enforcement
• Quota overrun alerts with configurable threshold
• Transaction recording for analytics
• Multi-gateway runtime architecture to support isolation of high-traffic, high-volume APIs. Configuration and management is central though
• Subscription validation and auto-renewal facility

OAuth Authentication Server

The OAuth authorization server is a software system that implements network protocol flows that allow a client software application to act on behalf of a user. Key features include:

• Token management
• Supports OAuth custom grant types

Following are the three main aspects that differentiate our API manager tools:

• Product Positioning - We differentiate by positioning our product for customers that have a much wider scope of building a Digital Ecosystem rather than just providing API management service. When customers with a broader scope (digital ecosystems) choose only API management solution, they have to either build the digital marketplace on top of the API developer portal or integrate a standalone digital marketplace product like AppDirect.
  
  The scope of Digital Marketplace includes additional platform-business-specific capabilities such as provider on-boarding, contract management, workflows, e-commerce experience, etc. Our API manager is an integrated offering designed and positioned for enterprises that are already confident about the potential of the API economy and aim big to build digital ecosystems such as Schneider Electric, Dubai Smart City, etc.
• Product Engineering and SI under one roof – Our product engineering and SI work very closely which enables a tighter feedback loop. Customers get the benefit in terms of rapid delivery of features/enhancements.
• White-label / Distribution model for Enterprise Customers - Our API manager tools are designed to be multi-tenant that allows enterprise customers to distribute/provide cloud access as a rebranded enterprise offering.

Skills required by API providers are OAuth, HTTP, REST/JSON, and Swagger. To create some advanced rules, JavaScript skills would be an added advantage.

The following are the different API monetization policies on offer:

• Direct Billing – In this type of billing, the external developers get billed directly for their API consumption on basis of usage volumes, load, bandwidth utilization, location, etc.
• Bundled Billing (Packs) – This is a type of direct billing in which the external developers pay for bundled API kits instead of being billed for individual APIs.
• Internal Billing – This type of billing is mainly used for providing internal metering and chargeback for different units or departments within an organization.
• Tiered Billing – This type of billing model can be used to create categories of external developers based on parameters like usage, location, etc, and billed accordingly.

API monetization policies and functions are flexible and customizable, and can be different for the same API depending on the API consumer. We offer a paradigm of individual APIs and a collection of productized APIs – Packs/Plans. Each API consumer subscribes to a plan. Policies can be attached to Plans and individual subscriptions, i.e individual API consumers.

DM-APIM comes with built-in threat protection using the popular, industry-standard Mod-Security framework. The following essential rule sets are enabled by default:

• Content validation – XML schema and JSON schema
• Memory space breach and Buffer overflow attacks
• HTTP Protection - detecting violations of the HTTP protocol and a locally defined usage policy.
• Real-time Blacklist Lookups - utilizes 3rd Party IP Reputation
• Digital signatures such as two-way SSL
• HTTP Denial of Service Protections - defense against HTTP Flooding and Slow HTTP DoS Attacks, Public key DoS attacks
• Common Web Attacks Protection - detects common web application security attack, resource hijack attacks, and session hijack attacks
• Automation Detection - detects bots, crawlers, scanners, and other surface malicious activity
• XML Virus attack prevention
• Integration with AV Scanning for File Uploads - detects malicious files uploaded through the web application
• Tracking Sensitive Data - tracks Credit Card usage and blocks leakages
• Trojan Protection - detects access to Trojans horses
• Identification of Application Defects - alerts on application miss-configurations
• Error Detection and Hiding - Disguises error messages sent by the server

API Consumption management/control is provided by DM-APIM with the following capabilities:

• A backend rate limit can be defined. This is separate from the API's rate limiting policy and ensures that the backend resources are not overloaded.
• To track usage of external APIs against consumption quotas based on API call limits, a usage policy can be attached to the API and the gateway will ensure that the usage is limited to the defined limit
• Consumption management features work based on total consumption across a distributed deployment. The product architecture includes a network-centric global counter that maintains count across distributed gateway deployment.

DM-APIM and our associated service offerings provide features that are specifically aimed at supporting multi-experience strategy:

• Configurable content compression at the gateway to support low-footprint API payloads to support use cases in IoT, wearables, etc
• Support for integration with third-party services to enable voice-driven applications and chatbots
• Support for channel-specific APIs and creation of separate architectural layers tailored for front-end channels. This is commonly referred to in the industry as the BFF pattern (Back-end For Front-end). Microservices exposed through micro gateways are good candidates to build the BFF layer.
• System Integration and custom solution development to build industrial Augmented Reality applications using frameworks like ARKit in the Energy management domain.

The key consideration in API Management to support all the above-mentioned multi-experience touchpoints is the ability to tailor specific security policies, support streaming, pluggable state management, data compression, etc.

DigitMarket^TM API manager can be deployed and managed with a hybrid topology - Cloud and on-premise. The management layer could be deployed on the Cloud, whereas the API Gateway could be on-premise or vice-versa. To support such hybrid topology, we provision a separate instance on the Cloud and deploy additional layers of security to allow secure access to the admin APIs of the API management platform.

Our industry vertical templates provide the required specs, principles, and reference models to integrate Open Banking APIs to your core banking and associated systems. Our complementing offering, Concierge Bank is a comprehensive marketplace-banking solution built on the foundation of Open Banking. It allows quick integration to third-party services helping banks to create their own marketplace via the managed API platform.

Our Support models range from product support to system-integration oriented Level 2 and Level 3 support. The product support escalation process allows customers to escalate to a product support manager as a first level. The second level of escalation is the Product owner. The final level of escalation is the CEO.

Our system integration-based support models are highly evolved. If a customer wishes to escalate any problem, the first level of escalation is the Support Manager. The second level is Business Unit Head, the final level is the CEO.

Here is how the SLAs work:

Our SLAs are categorized into availability uptime SLAs (also known as System Availability SLA) and QoS (Quality of Service) SLAs. The uptime SLA values are different for on-premise deployment and Cloud deployment. For on-premise hosting, we allow flexible SLAs that are designed for supporting mission-critical business applications. This includes both QoS-related SLAs such as response times from the gateways and high-availability SLAs (Ex: 99.999% availability).

The following elements differentiate our customer support:

• We follow the DevOps model, combined with some elements of the traditional support to offer the best of both worlds
• We offer tailor-made support plans and SLAs that best suit the needs of the customer.
• We charge for support only when the customer goes live.

Seven days before your account subscription expires, you receive an email notifying you that your account is about to expire and prompting you to contact your account representative to retain your account.

When your subscription expires, you can’t restart existing apps or create new apps. Running apps might stop without notice at the discretion of Torry Harris. To renew your subscription, contact your account representative.

The Cloud version is updated regularly, with bug fixes and minor enhancements. However, every change is notified to the customers. We also ensure a zero-downtime deployment using our continuous delivery framework, Meridian. We ensure this by deploying the changes on the independent nodes of a load-balanced environment at a non-peak time.

Customers, however, are informed well in advance of the changes and about the possibility of a performance degrade. In the case of customers who have very high loads, separate instances are spawned to eliminate the performance degradation.

Any major feature changes are released as part of the scheduled release plan. Customers are also informed in advance about the release schedules and any migration steps that may be required are published in advance.

Professional services and consultancy form a very important part of our model since we offer consolidated end-to-end services in our focus areas. Depending on the phase the customer is in with respect to their API journey, any of the blocks within DigitMarket^TM could be used by the customer and made to work (coexist) with any other commercial or open-source products.

We also assist clients from time to time in product selection for their enterprise. Though DigitMarket^TM is open standards-based and the client can choose to engage with any vendor for the professional services and consultancy bit, they generally tend to engage us to offer both these services.

AutoStub 2.0 is our product that clients use to mimic the services/APIs. The tool generates a mocked HTTP(S) endpoint based on the WSDL or Swagger specification provided. This ensures that the contract itself can be validated and the same test cases (already created on Automaton) can be run on the actual service once it is ready to ensure that the contract is enforced during actual endpoint exposure.

AutoStub generates a high volume of test data based on pattern rules. AutoStub and Automaton provide command-line triggers that can be easily integrated with the DevOps pipeline. We provide our own framework Meridian for this purpose, though it can be used with any DevOps toolset.