Managing Third-Party API Consumption

Application Programming Interfaces (APIs) developed by third parties play a key role in enabling your applications to access services and data provided by applications developed by other businesses. Whether it’s your online shopping cart connecting to a credit card transaction system to charge fees to one of your customers, or one of your internal processes connecting to a business partner application to exchange data, third-party APIs help drive your business operations.

In some cases, third-party APIs are public and available to anyone. Well-known examples include Google Maps, which you can connect to in order to provide access to maps and directions for anyone who wants to visit your office. Facebook is another example. They provide a third-party API that you can use to allow customers to log in to one of your web applications without creating an account—they just use their Facebook credentials.

In other cases, third-party APIs are private and require authorization to access. They usually come into play when a business partnership is established, as in the case of a hospital that needs to submit claims to an insurance company. The insurance company would provide access to a third-party API that would allow the hospital to connect its system to the insurance company’s system.

Some third-party APIs are free. The publishers realize that allowing you to connect with their service or data can indirectly lead to one of their services generating revenue, or end-users may be exposed to their branding. Other APIs come with a cost, which could be on a monthly subscription basis or a per-use basis, or they may charge a percentage of any financial transactions you execute while using the API.

Free!

A Business Leader’s Guide to APIs

Download Now!

How to Use Third-Party APIs

When considering third-party APIs that your business might want to use, the very first aspect to review is the documentation offered by the developer of the API. Well-written documentation clearly explains the purpose of the API, how developers can use it, how to integrate with the API, and the standards and protocols that are in play.

This will make it easier for developers to connect with your application. You can also see whether sufficient security is in place to protect any sensitive information your application might be exchanging with the API.

If the documentation is poorly written, or if there’s no documentation at all, those are signs that maybe you don’t want to use that particular third-party API—assuming there are alternatives you can turn to. But if you are locked in, realize your developers will need to spend more time programming the integration, and there may be additional security measures to apply on your end.

This can be overcome by applying your internal security policies. In the Gartner report, Managing the Consumption of Third-Party APIs, analyst Mark O’Neill recommends that businesses “govern usage and protection of API keys by applying consumption and security policies to external APIs.”¹

Another key security tactic to consider is the use of transport layer encryption technologies—such as HTTPS and TLS/SSL. They protect digital assets and avoid cases where cybercriminals can manipulate communications and data exchanges between your application and a partner application. These are commonly known as Man-in-the-Middle attacks.

One of the key protocols to look for in third-party APIs is WebSockets. By eliminating the need for your application to poll the target API server for a reply, this protocol reduces the overhead of the compute resources required for your application to exchange data and services with the partner’s application. This is helpful when it’s particularly critical for real-time exchanges.

Also, look for third-party APIs that use Webhooks. These mechanisms enable an API to automatically notify your application when activity has occurred. This can include code and programming updates to the API.

But where you will really appreciate this attribute is when someone pays you or buys products and services through a third-party application. You receive immediate notification rather than having to log in to see what activity has taken place.

Guidelines for Managing Third-Party APIs

Should your business choose to consume a large number of third-party APIs, it’s important to set up a process to oversee how each API is used, especially if you have multiple developers handling third-party integrations. You want to make sure each developer applies the same security standards and follows your internal policies. For example, third-party APIs will use a variety of message formats, so you want to implement a process to transform them into your standard message format.

By cataloging the documentation of all the third-party APIs you use and storing credentials in a centralized database, you can facilitate their use by different business units and different developers. Cataloging is highly-recommended by O’Neill in the Gartner report referenced above: “Register the third-party APIs consumed by your organization in an API catalog alongside your internal APIs so that they can be discovered and used together,” O’Neill writes.¹

This is particularly true in cases where you have multiple applications that need access to the same third-party API. And if a developer changes roles or leaves the company, a new developer can step right in to manage that set of APIs.

Another key management guideline is to decouple your application from the third-party API by using microservices containers. This will make it easier to maintain API integrations should you move your application into a new environment, such as migrating from a data center to the cloud or from one cloud platform to another.

Lastly, be sure to monitor your overall third-party API usage and evaluate whether they are performing at the level your end-users require in terms of delivering fast responses. And if you are paying for an API, is it delivering sufficient ROI? Is the API being maintained? Is it introducing any security risks? By answering these questions, you may discover you are not generating the value you require—and it could be time to consider alternatives.

Third-Party APIs vs. First-Party APIs

In addition to enabling your applications to access the data and services of external applications, third-party APIs also save you on software development costs. Instead of your developers having to write code for integration, the other business has already done this for you, thus saving you time in not only creating the API but also in maintaining the API.

But there are times when it makes sense to forgo third-party APIs and develop your own, sometimes called first-party APIs. It could be that a third-party API does not execute a data or service exchange exactly as you need it to. Or the security posture of the third-party API may be so weak, you don’t trust the exchanges with your application.

If you’re not happy with the way a third-party API is maintained—if, for example, patches and updates occur too slowly—you might want to consider a first-party API as well. This gives you full control over the software development lifecycle of the API.

But there’s no doubt third-party APIs that are professionally developed, documented, and maintained deliver significant benefits. Your developers can use them easily and you reduce the cost of your programming resources.

You also benefit from the primary deliverables of the leading third-party APIs: greater revenue generation capabilities for your applications and the ability for your applications that drive business processes to run more efficiently.