8 Tips for Creating an API Catalog (and Why You Need One) Posted in Platforms J Simpson January 31, 2023 APIs are only useful if you can find them. Otherwise, you waste time digging around for APIs to use, looking for replacements, and essentially doubling your work. The worse could be creating a new API, only to eventually realize one already exists within your organization. API catalogs are essential for organizing and maintaining your APIs. They eliminate redundancy by making all your APIs discoverable, including third-party APIs and any you’ve created in-house. An API catalog is also invaluable for API security and API testing, as it consolidates all of your APIs into one place for your security tools to find. Many API management tools even have native API testing. API catalogs also significantly reduce the likelihood of shadow and zombie APIs, which could leave your organization vulnerable to attack. Below, we’ll share some tips on how to create your own API catalogs. We’ll also consider some best practices to help you make the most of your API catalogs while ensuring they are secure. 8 Tips For Creating an API Catalog 1. Decide On An API Management Tool There are numerous API management tools capable of creating and maintaining API catalogs. Each one is excellent, with a number of powerful features to recommend it, so which one you choose will ultimately come down to a matter of taste. Some popular API management platforms include: Akana RapidAPI HubSpot Mulesoft Anypoint If you don’t want to use an external API management tool, you can always add a page to your website where you list all of your APIs, as well. Below, we’ll be using Postman Collections as our API management solution, as it’s free and robust enough to create and maintain an API catalog. 2. Organize APIs By Type Organization is key to API discoverability. Besides API security and testing, API discoverability is the most common reason to use an API catalog. Organizing your APIs is an art and a science unto itself, however. Say you’re using Twilio API for sending SMS and MMS messages. Now imagine you sometimes use SMS to communicate with team members, on the off-chance they’re out of the office or away from wi-fi. So, you categorize Twilio API under messaging APIs and remote collaboration tools. In this example, Twilio could also count as team messaging APIs. This is just one brief example of how one API can fall under numerous categories. Don’t be afraid to include an API in multiple categories as relevant. The key is finding APIs that will meet your needs when you’re looking for them. 3. Distinguish Between Internal and External APIs Although you could organize all of your APIs by function, it’s often a good idea to differentiate between internal and external APIs. Internal APIs might only be authorized for internal use, for example. Labeling one as such would be inappropriate if you’re creating a public-facing API. If you were using Postman Collections, you might create separate collections for internal and external APIs, for example. Then you might have a master list and specify different APIs with detailed documentation and nomenclature. 4. Consider Example API Catalogs Having concrete examples to base your own API catalogs on is very useful. It takes the guesswork out of the process, leaving you to fill in the blanks. Looking at examples also helps you to think of things you might not have thought of otherwise, eliminating potential blind spots. For example, take Facebook’s API Catalog. It’s a great model of a clean, well-organized API catalog that’s also quite actionable, with plenty of concrete examples and tutorials to help someone get started. A developer discovering Facebook’s API catalog could be up and running in a matter of minutes after discovery, which is the hallmark of a good and useful resource. Facebook’s API catalog also demonstrates how a holistic developer-focused catalog can include other assets, as well. 5. Specify Access Levels Another common way to organize API catalogs is by department or level. You might have one API collection for admins, for instance, and another for developers. This is also a good practice for API security, as it reduces the likelihood of vertical broken access control. As with our other comment about API organization in general, nothing is preventing you from having an API in multiple collections. However, you don’t want to accidentally expose sensitive APIs when you have APIs tagged by access levels and other attributes. 6. Do Regular API Audits Once you’ve set up your API catalog, you’ll want to perform regular, routine maintenance to ensure its functioning efficiently. You’ll want to do a regular API audit of your API catalog to make sure all of your APIs are up-to-date and current. Luckily, that’s easy to do once your API catalog’s set up. 7. Make It Available Across Your Organization For an API’s discoverability to be truly useful, it needs to be able to be found by everybody. Once you’ve created your catalog and got it set up to your liking, you’ll want to ensure it can be accessed by all departments producing and consuming APIs. Otherwise, you risk creating unnecessary duplicate APIs due to siloing, which defeats one of the primary purposes of having an API catalog in the first place. 8. Make Sure Your API Documentation’s Up To Date Some catalog solutions organize APIs via API documentation. If that’s the case, you’ll want to make sure your API’s documentation is up-to-date and, ideally, created using some sort of API specification like OpenAPI. Following an API specification allows your API documentation to be read by API documentation generators, making your APIs even more discoverable. Final Thoughts On API Catalogs As APIs become even more prevalent, API catalogs are going to become more and more important. For one, when you’re dealing with so many APIs, it’s essential to stay organized or run the risk of becoming overwhelmed. Secondly, API catalogs are an increasingly important component of API testing and security. It’s all too easy to forget about some test or production API that could accidentally end up exposing vulnerable endpoints and valuable data. API catalogs aren’t only important for internal APIs and usage, either. API directories like RapidAPI provide a public form of an API catalog, too. The same principles that allow your APIs to be discovered internally will also enable them to be located by users, customers, and clients.