From API Intelligence to API Governance by Harsha Chelle (Treblle)

Transcript

1. State of the Market Report 2025 Full Report coming to

   you in 4 weeks From API Intelligence to API Governance Sponsored by API Insights Series

2. - Head of Customers @Treblle - Bengaluru, India - APIs,

   AI, and Vibe Coding Who am I?

3. Sponsored by Treblle. Special thanks to: Vedran Cindrić, David Blažević,

   Davor Kolenc, Ivan (Guillaume) Druet, Mehdi Medjaoui, Nilesh Kajale, Melvin Rook, and Alen Pokos. Published by apidays. April 2025 Written and researched by Mark Boyd. Technical review by Mike Amundsen. Design by Rebeca Vittorazo. From API Intelligence to API Governance: State of the Market Report 2025 discusses current trends and practices in building APIs that are high value, performant, and secure. The report looks at current trends in API Intelligence and how teams can leverage their intelligence capabilities to create an organisational-wide approach to API governance, where all APIs are built to generate value, speed up product development, and help foster ecosystems. API Intelligence Platform Treblle helps engineering and product teams build, ship and understand their REST APIs in one single place Visit

4. • Composability: You can use APIs to create composable digital

   components to build internal applications and workflows, or create external-facing digital products and services (including apps and websites). • Faster product development: APIs help you speed up product development by encouraging you to reuse components and by lowering your maintenance costs when something needs to be changed: the API can be swapped out for another one without bringing your whole system offline while changes are made. • Automation and orchestration: APIs can be used to create automated workflows that are triggered when specific events occur, or on a regular schedule. With AI being introduced, you can also look at how to improve workflows by allowing automated decisions to be enacted based on machine learning and algorithms based on your historical data. Value from internal APIs • Faster onboarding: APIs reduce integration time and streamline the onboarding process for new partners. • Relationship management: APIs allow you to better manage and understand the needs of your partners by allowing you access to analytics on their usage of your data and web services. APIs are like infrastructure-as-code contracts in themselves, which allow you to demonstrate your service level agreements, ensure appropriate permission levels, manage use through rate limiting, and automate other aspects of your relationship. • Reduced build and access costs: APIs allow organisations to access and use data and services from a partners’ system as needed. • Customer insights: Sharing APIs with your partners gives you an opportunity to learn more about what they use most often and where your API needs to be improved to help you better serve others in your ecosystem. • Revenue generation: API can be directly monetized with third party providers who pay for access to your data or web service components. • New customer acquisition: APIs can allow external parties to drive new customers to your products and services. • Broader ecosystem growth: Third parties can build additional products and services using your APIs that you do not have the team or resources to build as a priority, but that can address gaps and extend the value of your business to more customer segments. Value from sharing APIs with partners Value from exposing secure APIs to third parties How value is generated from APIs From API Intelligence to API Governance 4

5. The role of API Intelligence and its impact on API

   Governance API Intelligence goes beyond monitoring. It enables proactive issue resolution. Real-time alerts highlight critical issues early, while logging uncovers root causes, allowing teams to fix infrastructure and configurations to prevent future occurrences. From API Intelligence to API Governance API Intelligence helps identify best practices and common approaches that ensure API infrastructure is performant, reliable, and generating the value expected by API consumers. These proven patterns form the basis of API Governance, a set of standards and policies guiding consistent API design, development, and deployment. Enabling Scalable API Use in an AI-First World As AI agents increasingly consume APIs, consistency becomes even more critical. Just like human developers, AI workflows benefit from predictable, well-structured APIs- making governance essential for maximizing API value in the age of automation. This report describes some of the key areas of API Intelligence that should be managed proactively to ensure that APIs are easy to consume, performant, and secure. We share current trends in adopting industry best practices in ways you can apply to your API portfolio. As you move from API Intelligence to API Governance, we propose quick wins you can implement in under 10 minutes, short-term gains that you can have in place in less than 10 days, and larger projects that may require dedicated resources across 10 weeks to implement. About this report From API Intelligence to API Governance 5

6. API Intelligence best practices and current trends Learning from API

   Intelligence to create API Governance Understanding API Design, Performance, and Security

7. API Design API Design approaches ensure that APIs are designed

   leveraging industry best practices so that they are easier to understand and immediately used by all developer audiences (internal, partners, third parties and now AI). From API Intelligence… When starting API Intelligence to monitor your API design practices, you will want to see what elements are making a difference for your users. Pay attention to issues like the error rates or issues users are having with your APIs. This may indicate the need for better documentation: either via samples and response codes in the API, or by additional support around onboarding. …to API Governance As you see what works across your API design (and with the later sections on performance and security), you can create some internal standards and share them via a style guide of practices that you want to have present in all of your APIs. Depending on your organisational structure, this may be something led bottom up (by API teams sharing what works amongst each other), from a platform enablement team (who is responsible for your API management and tooling), or top-down from an organisational-wide governance committee. When budget, resources, and buy-in are high enough, you can create a linter that automates checks against your style guide. In this section we will look at: In this section we highlight several areas where there is increasingly industry-wide agreement on best practices. This includes rate limiting, and API design approaches that define how API calls are made and responded, and version management and deprecation. We also highlight other areas of API design best practices including contact management, pluralization of resources, and operation descriptions. API Design From API Intelligence to API Governance 7

8. Limiting the number of requests per user or IP can

   protect your APIs from abuse tactics like scraping and denial-of-service attacks. Restricting requests can also prevent bots from overwhelming your system and gathering data. Rate Limiting API Intelligence for API design From API Intelligence to API Governance 8 Review logs, identify seasonal peaks Set up analytics and review regularly Create documentation to support users 10 minutes 10 days 10 weeks From API Intelligence to API Governance "Why did my API fail? Usually we'll get a very vague 422 or 400.. [but] what was bad about it?... I think that's the hardest part about working with APIs” Robert Landers Senior Software Engineer Funxtion Rate limiting 85% 15% don't’ have rate limiting defined in their APIs have rate limiting defined in their APIs Source: Anatomy of an API 202413

9. Making API calls, returning responses and managing API versions 71%

   71% of APIs analysed by Treblle used some form of versioning. From API Intelligence to API Governance 9 API Intelligence for API design Source: Anatomy of an API 202413 "There is a lot of POST functionality in our APIs. The value proposition of our products is that they support our customers to make better, more efficient decisions and streamline complexities. POST operations make that possible.” Nilesh Kajale SVP, Engineering Relatient 10 minutes 10 days Define “breaking changes” Identify non-breaking change fixes you can implement Establish API improvement and version management policies and processes From API Intelligence to API Governance 10 weeks

10. "The more examples we provide of integration workflow patterns, the

    better it becomes for third-party consumers. It shortens the learning curve and removes resistance in usage that is an important element in any API success.” Nilesh Kajale SVP, Engineering Relatient Other best practices for API design 77% of all endpoints use nouns but only 16% are in plural 16% 77% endpoints using nouns endpoints in plural form API Intelligence for API design From API Intelligence to API Governance 10 Source: Anatomy of an API 202413 10 minutes 10 days 10 weeks Understand the organisational structure and appetite for API Governance Map commonalities and identify the most performant and impactful APIs Create or use style guides and linters From API Intelligence to API Governance

11. API Performance API Performance approaches ensure that APIs are generating

    the value you promise to your API consumers. They are accessible, available even when there are busy periods, they return expected responses, and they do not drain resources. From API Intelligence… You can manage logs, set up threshold alerts, and better track how well your APIs are providing value to your API consumers (internal, partners and third parties). By monitoring performance, you can respond to challenges before your consumers are affected and you can prioritize API improvements for those APIs with the greatest value for users. …to API Governance As you learn what makes your APIs most performant, share this data across your teams. Highlight your well-built APIs and describe the value they are generating for customers. Draw up what characteristics these high performing APIs share and encourage this as the start of a style guide for your API governance. Encourage all APIs to include these characteristics as a minimum. In this section we will look at: In this section, we look at how measuring and monitoring API performance can help prioritise improvements. Developers increase their use of your APIs when they are highly performant and function as expected. We look at key areas of performance, most notably cache support and CDN usage, as well as other performance approaches including compression and use of HTTP/2. API Performance From API Intelligence to API Governance 11

12. Supporting compression, monitoring load times, caching support and use of

    Content Delivery Networks impact on performance Managing API performance API Intelligence for API performance Average endpoint LOAD TIMES 50% 20% 14% 9% <150 ms LOAD TIME >500 ms LOAD TIME 150 ms to 300 ms LOAD TIME 300 ms to 500 ms LOAD TIME From API Intelligence to API Governance 12 Source: Anatomy of an API 202413 10 minutes 10 days 10 weeks From API Intelligence to API Governance Review use of headers and CDN URLS Extend your intelligence to include cache and CDN metrics Consider service worker scripts Add alert thresholds Add distributed tracing technologies Add distributed tracing technologies

13. API Security API security is the practice of safeguarding APIs

    against unauthorized access, data breaches, and other cyber threats. A single vulnerability in an API can expose sensitive data, disrupt critical operations, and damage trust with users and partners. From API Intelligence… You can ensure you have consistent, robust security measures in place for all of your APIs and reduce budgetary and reputational risks from poorly managed APIs. Monitor key security risks such as authentication behavior to identify whether anything suspicious is occurring. …to API Governance Ensure there are no threat vectors left unprotected, for example, by having security objects all fields without definitions or blank in your APIs. You can use tooling to review your APIs to ensure they are meeting security best practices. This review can be part of your API review and deployment process so that APIs must be reviewed automatically before entering a CI/CD pipeline. In this section we will look at: API security practices ensure your APIs are not used as a threat vector to gain access to systems or to cause attacks that reduce performance and capabilities of your systems. This section looks at key security best practices including authentication and authorization, and appropriately defining other security fields and objects in your APIs. API Security From API Intelligence to API Governance 13

14. Authentication and authorization are security processes that ensure only authorized

    users or systems can access your API resources. Authentication and Authorization API Intelligence for API security Authenticated Vs. Unauthenticated requests 48% 52% AUTHENTICATED REQUESTS UNAUTHENTICATED REQUESTS From API Intelligence to API Governance 14 Source: Anatomy of an API 202413 Review authentication API design and documentation Set up logging and analytics Consider adding JWT for high volume APIs or FAPI for sensitive APIs 10 minutes 10 days From API Intelligence to API Governance 10 weeks

15. Ensuring headers including X-Content-Type-Options, Strict-Transport-Security, X-Frame-Options and Content-Security-Policy headers are

    in place strengthens your security posture. Securing URLs by using HTTPS is also essential. Best practices in API security 24% 35% Number of zombie endpoints 2023 vs 2024 2023 2024 APIs with endpoints classified as active 2023 vs 2024 76% 65% 2023 2024 Number of requests HTTP vs HTTPS 45% HTTPS 55% HTTP 15 API Intelligence for API security Source: Anatomy of an API 202413 10 minutes 10 days 10 weeks From API Intelligence to API Governance Check that you are using HTTPS Review all security fields Review all zombie endpoints

16. Preparing your API portfolio for a new type of API

    consumer API Intelligence and API Governance in the AI Era

17. API Intelligence and API Governance in the AI Era API

    Intelligence for API security The next generation of API consumers may not be people or client applications, but AI Agents 17 In 2024 the number of AI-related APIs grew by 807% compared to last year while the average growth across all other sectors and industries has been 10% Business functions in which respondents’ organizations are regularly using gen AI, by industry % of APIs that are high quality Using gen AI in at least 1 function 6% Technology 88 2% Professional services 80 2% Media and telecom 79 2% Consumer goods and retail 68 6% Financial services 65 2% Healthcare, pharma, and medical products 63 2% Energy and materials 59 4% Overall 71 Source: Anatomy of an API 202413 Source: McKinsey24 Identify which of your APIs might be used by AI Ensure your APIs can be understood by MCP servers Create and refine an API validation tool using AI 10 minutes 10 days 10 weeks From API Intelligence to API Governance

18. Taking your API practices to the next level Bringing it

    all together

19. Moving into action: From API Intelligence to API Governance Follow

    industry best practices by improving your API Intelligence and evolving towards an API Governance approach across your API portfolio Here are the current industry trends that API leaders are taking to ensure their APIs are of high value for their consumers, whether that is internal developers, partners, or third party API ecosystem users. Timeframe Design Performance Security AI readiness In 10 minutes or under Review logs, identify seasonal peaks Define “breaking changes” Understand the organisational structure and appetite for API Governance Review use of headers and CDN URLS Add alert thresholds Review authentication API design and documentation Check that you are using HTTPS Identify which of your APIs might be used by AI In 10 days or less Set up analytics and review regularly Identify non-breaking change fixes you can implement Map commonalities and identify the most performant and impactful APIs Extend your intelligence to include cache and CDN metrics Add distributed tracing technologies Set up logging and analytics Review all security fields Ensure your APIs can be understood by MCP servers Across 10 weeks Create documentation to support users Establish API improvement and version management policies and processes Create or use style guides and linters Consider service worker scripts Map data and API usage flows Consider adding JWT for high volume APIs or FAPI for sensitive APIs Review all zombie endpoints Create and refine an API validation tool using AI From API Intelligence to API Governance 19

20. Now take your API practices to the next level. Thank

    you!