In March 2024, the Nordic APIs community assembled once again in Texas for the Austin API Summit, an event that featured over 40 expert speakers sharing critical insights on building success in the API ecosystem.

The conference covered a spectrum of wisdom on what it means to provide and consume quality APIs. Many recurring themes emerged, from new advances in AI to developer experience expectations and new design patterns. Below, I’ll summarize a handful of takeaways that personally stood out to me.

1. Generative AI Is Everywhere

The excitement around generative AI dominated the discussion throughout the event. This makes sense, given that Gartner predicts that by 2027, 90% of enterprises will actively use AI tools in their software development.

Paul Dumas, Senior Director Analyst at Gartner, demonstrated the importance of generative AI and forecasted that more APIs will be built using it in the near future. Although gen AI will produce APIs and the code to consume APIs, it will depend on the proper orchestration and prompt engineering.

Heather Hinton, CISO at PagerDuty, explored how PagerDuty is utilizing generative AI to optimize their internal processes, noting how APIs go hand in hand with an AI strategy. “We relearned to love APIs when going through our generative AI adoption,” she said.

When it comes down to it, large language model (LLM) security hinges on API security. Ankita Gupta, co-founder and CEO of Akto, walked us through popular LLMs and the unique security risks they are prone to, highlighting top vulnerabilities like prompt injection and data poisoning that are represented on the OWASP top ten for LLMs.

2. Developer Experience Matters

Developer experience (DX) was also a central talking point, surfacing in best practices around SDK generation, technical writing, and upkeeping quality documentation.

Quick show of hands: who prefers to use SDKs over sending direct API requests? Jim Bennett, Principal Developer Advocate at Liblab, made it clear that SDKs win out every time as the easier way to work with web APIs. Automating the creation of SDKs in multiple programming languages can help enforce type safety and improve DX for your consumers, he says.

Although SDKs can aid DX, documentation still matters. “Your public facing documentation is your product,” said Ken Cenerelli, Senior Technical Writer at Google. He gave us a window into the day in the life of a technical writer, highlighting how technical writers are essential for creating a consistent workspace and workflow for your APIs.

“Good documentation is not a substitute for good engineering practices,” says Laura Rubin, Staff Technical Writer at Nylas. Instead of just-in-time technical writing, she recommends investing upfront time to enhance your documentation. Some tips include writing in succinct Global English, having instant feedback mechanisms, and watching newcomers try your documentation to assess understandability.

3. API Security Combats New Threats

As API attacks are rising, so are strategies to respond to threats, such as defensive-in-depth, zero-trust, and better inventorizing. We’ll also need innovative ways to safely apply authentication and authorization to future IoT use cases.

To set the stage, Dan Barahona from APISec University shared interesting statistics from his recent API security research, which analyzed over 30 API breaches. He found that, although rate-limiting issues were most common, broken authorization, broken authentication, and excessive data exposure were the root causes for 90% of breaches researched.

Dan Barahona showcases findings from recent API breaches.

In his talk, Aran White, Head of Product Management at Broadcom (Layer 7), covered why you should think holistically about the modern API security lifecycle and apply governance across both north-south and east-west connections. He highlighted input validation, secure rate limiting, cryptography, passwordless authentication, and countless other strategies to consider.

API discovery is vital for knowing your surface area, as it can spot rogue or unmanaged APIs. But what even constitutes an API? Simply counting APIs is more complicated than you might think since you could classify them per unique unqualified endpoint, per method, per OpenAPI file, or by other means, says Rob Dickinson, VP of Engineering at Graylog.

According to Travis Spencer, CEO of Curity, decentralized identity is a big incoming movement that could affect how we provide digital credentials for a wide range of daily activities. He says this trend will especially affect how APIs handle authorization, necessitating a move toward verifiable credentials.

4. API Design Is Evolving

As always, API design continues to be a popular, evolving area of focus. This year, Austin speakers introduced us to new open-source languages and tools for describing APIs and SDKs.

For example, Mandy Whaley, Partner Director of Product at Microsoft’s Azure Developer Tools, walked through a new open-source API description language TypeSpec, which she said is a simple, scalable, and intuitive way to design APIs. Better yet, it works with OpenAPI Specifications. Other newer tools mentioned in Austin include Smithy and Kiota.

API design is an art that must weigh multiple competing forces, according to David Biesack, Chief API Officer of Apiture. “API design is a whole-brain activity,” he said. “It’s an act of intelligence that requires both the left and right brain.” API design involves style and naming decisions to meet developer expectations and a careful design over time to allow the service to evolve.

David Biesack explains why API design is an art.

Another show of hands: who is actually rate limiting their APIs? Though it seems like a ubiquitous best practice, I was surprised to see rate limiting is not always applied. Excessive API usage can have severe consequences, noted Nate Totten, CTO and Co-Founder of Zuplo, but it might not stem from who you might think. Instead of malicious actors, it’s more likely that internal accidents will overload APIs, he said.

With OpenAPI Moonwalk in progress and the emergence of new event-driven styles and description languages on the scene, Gareth Jones, API Architect, Microsoft, cautions us not to reignite in-fighting similar to the great API description wars of yesteryear, which pitted the likes of RAML, API Blueprint, and Swagger against each other.

At the end of the day, OpenAPI triumphed as the lingua franca. However, to keep it relevant, we need more effort placed around co-design, governance, and business involvement, says Jones. Throughout side conversations in Austin, the general consensus was that the OpenAPI Initiative should consider more input from implementors to help guide the next generation of the specification.

5. Strategy and Business Have a New Fire

Impeccably designed APIs are nothing without a foundational purpose: they must serve business goals. Thankfully, API business acumen was alive and well at the Austin API Summit.

Having worked with numerous clients on their API strategies, James Higginbotham, Executive API Consultant at LaunchAny, noted how things are shifting back to business fundamentals, requiring intentional focus on refining what an API platform offers. “A successful API platform starts with a focus on delivering value,” he said.

We welcomed Derric Gilling, CEO of Moesif, back to the stage to explore the intricacies of self-service API business model operations. Because productizing and monetizing APIs is more complex than you think — it requires deciding on the right pricing strategy, choosing and implementing a billing and invoicing model, and effectively communicating cost information.

Emmelyn Wang, Global Category Lead, DevOps, AWS, also provided an interesting take on formulating your strategy, which she calls the working backward method. In this approach, you first envision the end outcomes. For example, you might write a press release and Q&A for a launch before any code. This might seem strange, but this strategy can help imagine the ideal customer experience and direct the team management and DevOps processes required to achieve the final results.

Emmelyn Wang applies the working backwards method to API business modeling.

6. Platform Architectures Are Shifting

Lastly, larger architectural changes continue to permeate the API landscape. These are influenced by macro trends such as platform engineering, the move to cloud-native technologies, multi-solution API management, and the need to scale to massive event-driven demands.

Budhaditya Bhattacharya, Developer Advocate, Tyk, debuted the API platform engineering maturity model, inspired by the CNCF maturity model for platform engineering. He sees the emerging platform engineering trend as a response to the “you build it, you run it” DevOps philosophy, which led to increased cognitive load and developer fatigue.

Jonathan Michaux, Senior Product Manager at Gravitee, made the case that unification is necessary now that organizations often implement various API management platforms or gateways simultaneously. “We live in a multitenant world,” he said, emphasizing the need for a centralized control plane to rationalize it all. He also noted that synergies between platform engineering and API management will flourish over the next year. GitOps for API management, anyone?

Jonathan Michaux says more centralized control is needed for API management.

Vidhya Arvind, Staff Software Engineer at Netflix, showcased how Netflix is scaling its connected software using abstraction layers to meet massive demands. To summarize, what you do on the backend must be abstracted from the end consumers. The requests that come in should follow standard HTTP verbs and should be abstracted from the specific mechanics of underlying databases.

Taking Action: But Who Has The Time?

This was by no means an exhaustive list of all the inspiring talks and conversations we had in Austin this year. We also featured new GraphQL advice, looked at emerging standards, and spotlighted exciting case studies of API strategies at Netflix, Plaid, Nylas, and other model API-first companies.

One thing that stuck out to me was speaking to a group of developers who were saying how these best practices sound amazing, and the event validated a lot of their goals. But at the same time… who has the time to actually do all this? Development teams are already under so much pressure to deliver a backlog of features that planning for API consistency, design, and security often becomes an afterthought.

This simple reality shows that leadership must become more involved in API initiatives to direct governance and build great developer experiences for API consumers. If coming from the bottom up, engineers will have to extoll the technical and business benefits of modern API-first architectures to get executive buy-in.

We’re Bullish About APIs

Yes, that’s a llama riding a mechanical bull.

Thank you to all attendees, organizers, and speakers for taking the bull by the horns with us at the Austin API Summit! Special shout out to our sponsors 42Crunch, Gravitee, Liblab, Postman, Traefik Labs, APIMatic, Kong, LuminSign, WireMock, and Zuplo for helping make the event possible. Last but not least, I offer huge gratitude to everyone at the Curity team for organizing such a well-oiled event.

Next Up: Platform Summit 2024

Platform Summit 2024 has been announced! The flagship Nordic APIs conference returns to Stockholm, Sweden, on October 7-9, 2024, to elevate your API game. I can’t wait to see what the next cast of speakers will share.

• If you’d like to attend the event, registration is now open.
• If you’d like to speak at our next event, please submit a talk here.
• If your company would like to sponsor, read our sponsorship prospectus and direct sponsorship inquiries here.

And, as always, please consider signing up for our newsletter to stay on top of API best practices and updates on future Nordic API events. Also, if you have an idea for a blog post, please pitch read our guidelines and pitch a topic here.