APIs (application programming interfaces) are continually growing in adoption as a way to connect applications and speed up digital transformation. With the proliferation of APIs, proper API governance is now more important than ever; ensuring your APIs are:

• Discoverable: APIs are easy to find, evaluate, and use by the entire organization.
• Complete, Consistent, and Compliant: APIs are high quality and deliver reliable consumer experiences.
• Reusable: APIs can be easily reused to improve efficiency in your API program.
• Secure: so that data is safe, risk is minimized, and you’re complying with regulation.
• Collaborative: well thought-out and well-documented so that everyone in your ecosystem can understand, use, and collaborate on them.

It’s no wonder therefore that Forbes state “the strategic importance of API governance cannot be underestimated”, and that API governance is a key part to an enterprise’s competitive edge. If governance is done right, it can be used to increase the value of the functionality you’re exposing through APIs, and ensure an easy way for developers to adhere to your enterprise standards and guardrails when designing, developing, and managing APIs at scale.

But what exactly is API governance, and what are proven best practices for enforcing it?

What is API governance?

API governance is the framework and set of practices that ensures your APIs are high quality, consistent and compliant, and aligned to business goals. Governance incorporates API coding best practices and design style guides, security and API gateway policy enforcement, and business-level metadata to aid API discovery and consumption.

In practice, we often see enterprises using an API governance model encompassing a multitude of rules, patterns, standards and policies, with subsets of rules for different API protocols, patterns, and use cases.

API reporting is a key component of good API governance too. It’s critical to be able to understand the governance maturity of your entire API portfolio, as well as track the key performance indicators (KPIs) of your governance initiatives.

Fundamentally, API governance provides the guardrails that result in great APIs, and is a key component of a mature API management program.

Who needs API governance?

Simply put, API governance is important for any organization implementing an API First strategy, where APIs are core to transformation and treated as strategic business assets.

There’s one use case in particular where API governance is absolutely critical to get right. That’s large enterprises. You’re likely already working with 100s-1000s of different API categories and types. These APIs are exposing your business capabilities and IT functions, and with the help of good governance provides you with a portfolio of API building blocks ready for adoption and reuse by your internal, partner, and customer consumers.

There’s also a regulatory aspect to the need for API governance. The best known example example is the Open Banking Implementation Entity (OBIE)’s Open Banking Standards in the UK, but API-related legislation is ever-growing across the globe. We’re also seeing a growing trend of internal and ad hoc governance reporting especially in highly regulated industries like banking. This includes reporting on API security and capturing and tackling the looming threat of API sprawl.

API Governance Best Practices for 2024

Governance traditionally gets a bad rep. it’s viewed as slow, manual, and error-prone, and can be an afterthought in the API development and management process. This is because governance guardrails have been hard to enforce without rigid approval flows and centralized control. Follow the best practices outlined below to transform your API governance process so it’s democratized, automated, and flexible.

1. Have a centralized set of enterprise-wide API governance rules

This sounds almost counter-intuitive given what we’ve just discussed. But there will always be a need for a core set of governance rules that are defined globally and adopted across the enterprise. By this we mean not only to adopt basic coding standards (e.g. the OpenAPI Specification), but also those based on what matters to the business, for example:

• Ensuring API basepath uniqueness
• Checking important metadata fields which ensure discoverability and reusability e.g. owner, lifecycle state, the capability the API supports, classification
• Access control rules for who can do what with your APIs and when

2. Build in flexibility and clear exception pathways

The reality for large enterprises is that not every API in the portfolio will need the same level of governance rules. For example, a business capability API exposed in consumer portal(s) will need a much higher set of standards than a legacy SOAP service set for deprecation in a few years.

Your governance model needs to be applied in a flexible way with clear exception pathways so that your APIs can be governed according to their type, use case, and owner. Other factors for exceptions include downstream target platform, technology types, and where you’ll be exposing your APIs (e.g. an internal Developer Portal vs public Marketplace).

Our ignite Platform customers are using configurable governance levels and families to define exceptions such as:

• APIs exposed in portals need to be curated with business-level metadata before they can be published.
• Specific API security policy based on line of business or taxonomy classification.
• Based on HTTP Method Type, certain headers and/or response codes are required.

3. Automate governance checking and validation

Self-service governance means empowerment and enablement over enforcement, and helps increase productivity and speed. Developers and other roles need to quickly make sure their APIs are conformant to your enterprise standards at various stages of the lifecycle. For example, before deploying new APIs or making consumer-requested updates to existing APIs. These checks should be automated and ideally available where stakeholders are already working (e.g. our ignite Platform where developers can validate their API projects against a basic governance level directly in the repo when checking it in).

4. Capture the entire API inventory in a Holistic Catalog

Complex API ecosystems can make it hard to track and report on your governance success. Capturing every API in every lifecycle state across every platform can help you understand your overall governance compliance, identify risks that need remediation, and track your governance KPIs over time.

Even better if your catalog is abstracted away from your API gateways and runtimes. Not only does this remove some complexity, making self-service governance easier for non-technical roles, it ensures you’re really capturing every API and can be used as a basis to ensure you can quickly make well-governed changes to your APIs over time.

5. Apply governance at all stages of the API lifecycle.

All too often, governance reviews are done after the API has been designed and developed. This can lead to bottlenecks and makes issues much more difficult to fix. You should instead be aiming to apply governance at all stages of the lifecycle, such as:

• Establishing standards for documentation, versioning, and rules from your style guide during API design.
• Coding standards and security measures during API development.
• Standardized test cases and compliance checks during API testing.
• Ensuring consistent artifacts and appropriate policies and thresholds during API deployment.
• Consumption governance once APIs are made available for adoption in portals.
• Impact analysis and change management as your APIs evolve over time.

6. Build in data consistency through reusable domain models and components

Many large enterprises either have, or are working to move away from large clunky canonical models in API development. Instead, they’re adopting domain models of reusable data components to build in data consistency especially in the APIs’ payloads.

Developing APIs in this way is recommended because you are using approved model objects and resources which standardize enterprise information in predetermined structures. This helps with API governance at speed as it’s increasing standardization and reusability of your APIs, while bypassing the slow process of developers having to constantly define common structures over and over.

7. Implement robust API versioning

APIs evolve over time, and API versioning is therefore crucial to keeping track of this. It’s important to align all versions to your governance model and guardrails.

Governance can also help determine if a change is backward compatible or not, so it may be possible to enforce major version change if an API version is not backward compatible, and therefore prevent breakage when deployed and used by applications.

8. Ensure your API governance rules are met before an API can be deployed

Deploying un-governed APIs, or APIs with governance violations, even into a sandbox environment, is detrimental for large enterprises; costing time and money and adding to the growing danger of shadow APIs. You want your enterprise’s API governance rules, as well as generic architectural type standards (e.g. OpenAPI Spec), to be validated against and any violations resolved before the API is in production.

An example of this would be ensuring that your API has an appropriate security policy applied and all your defined “must” violations are addressed before it can be transitioned from UAT to Production environments. This is of course important for effective API security too, and with 23% of companies experiencing an API breach in 2024, good security is paramount.

9. Embrace the mindset change of governance as an API curation tool

It takes time to move away from the negative connotations of “big G” API governance, which is why it’s worth investing in educating stakeholders in your enterprise to the modern and mature approach of governance that’s automated, flexible, and democratized. Fundamentally, governance is an API curation tool, ensuring you can be proud to put your company name and logo on your APIs you make available for consumption.

The ignite Platform enables democratized and automated API governance

Here at digitalML, we love all things API governance. Our ignite Platform consists of a Holistic Catalog of all APIs, and tailored API Consumer Portals, all kept fresh by Extended Lifecycle Management. Good governance is built in throughout the platform, including capabilities such as:

• Governance families and levels to tailor rule sets to each API’s use case, driving flexibility.
• Embedded developer level governance in your repo such as GitHub, to reduce friction.
• API curation and business-level metadata governance to make sure you’re proud to put your logo on your exposed APIs.
• Well-governed API updates including impact analysis and change management.
• API governance reporting and tracking.
• Automated governance checking and bulk updates to make adherence quick and easy.
• API consumption governance to manage who can use your APIs (and where).

You can learn more about ignite’s API governance capabilities and assess your own maturity with this product sheet:

Conclusion

API governance is the framework and set of practices that make your APIs quality and usable. Traditionally, governance can be slow and manual, but by adopting the best practices we’ve discussed in this post, you can transform your governance process so it’s democratized, automated, and flexible, driving increased value from your API program. Book a personalized demo with us to learn how ignite supports mature API governance.