API Discovery: The Keys to the Castle Art Anthony January 13, 2021 We review API Discovery, a new API directory focusing on security and legal compliance, and compare it to other API benchmarkers. In a previous article, we wrote about some of the exciting implications of API.Expert. The app offers an easy way to get a snapshot of an API’s performance and encourages increased accountability in the space. One limitation we highlighted was the lack of options for discovery within that service, with only the larger “household name” APIs being assessed. TeejLab’s API Discovery aims to address this gap in the market. Collating data from close to 16,000 APIs across 24 different categories, API Discovery encourages broader consumption while still allowing users to get information about APIs and their documentation, as well as executing requests on endpoints and running security tests. The big question is, as a freemium service, is it worth shelling out for the extra features? Below, we take a closer look at what API Discovery has to offer. What API Discovery Does Well A big part of API Discovery’s value is that it lets you do things like view sample responses to endpoints from APIs in the catalog without having to generate a key yourself, although you can use your keys if you prefer: The result is a snapshot of execution results that includes information about response size, errors, host server location, and metadata. The only thing that’s missing is a bit more information about how long the request took to process next to that timestamp… For API geeks (and yes, we are putting ourselves squarely in that category), the app is an absolute playground. Once you’re finished delving into how comparable APIs stack up against each other, you can have hours of fun looking for similarities between endpoints in things like Twitter and weather maps… Back on the more useful side of things, you can use API Discovery for a security check-up of your own API, or one that you might be interested in using. Not all of this stuff works right out of the box — guess that’s a preview of the limitations section below — but, after it’s been set up once, it’s straightforward to run every now and then. For some, the inclusion of OWASP and PCI analysis alone could potentially make the outlay of API Discovery worth the admission price. Nevertheless, a freemium account offers plenty for users to sink their teeth into — there are tons of categories to explore, including AI, Business & Tech, Weather, Finance, Health, Government, Security, Social Media, and others. API Discovery is pretty upfront about what each type of account can and can’t do, so we can’t imagine anyone signing up for a certain plan then feeling like the rug has been pulled out from under them due to the absence of a particular feature. More on that below. Free Vs. Paid Plans Even though it’s fairly transparent on their website, it’s probably worth us covering what this service does and where its paywalls sit. There’s a more detailed look at all this on the app’s Pricing page, but these are the headlines: Freemium API Discovery, including documentations and T&Cs Test APIs using sample and live data Compliance, i.e., discover embedded APIs and personally identifiable information analysis Individual All of the above plus: Compare the performance of different APIs Security functions including common API key, personal API key, and code snippet analysis Academic All of the above plus: Team collaboration enabled Corporate All of the above plus: OWASP analysis PCI analysis Unfortunately, the comparison and OWASP security analysis features are paywalled in the freemium account, but it’s easy to understand why this is the case; a more traditional model, like a two-week free trial, would make it easy for an organization to run all the tests they wanted and disappear forever at the end of the trial…but then again, isn’t that true of most free trials? For the most part, this feels like teething issues that will probably be ironed out as the creators of API Discovery figure out its place in the market. Interestingly, API Discovery actually has its own API, and checking out its thorough documentation is a good a place as any to start digging into what API Discovery has to offer. Limitations of API Discovery In our piece on API.expert, we suggested that “setting universal API performance benchmarks might prove stifling for API developers who are building side projects as a labor of love that they can’t afford to dedicate much time to.” Ultimately, however, that site’s CASC benchmark offers a useful way to get an “at a glance” picture of how an API performs. Although API Discovery allows users to compare different APIs, it lacks a performance-based metric that functions like the CASC benchmark does. API Discovery is a useful tool, but it’s one that can take a little digging around to get the best out of. Fittingly, given its name, it prioritizes the joy of discovery, and you’ll probably find yourself thinking — “oh, that’s cool, I didn’t realize I could do that with it” as you play around. We’d recommend putting aside a little time to experiment before you start setting anything up in earnest. Finally, one small issue is that the UI could use a little refinement to develop consistency throughout. For example, sometimes loading illustrations will whirr away for a while without anything looking any different when they’re done. And hovering over certain symbols provides more information in some instances but not others. These are minor issues, though, and we’d imagine that they’ll be ironed out as the service is iterated on with the impending full release. Is The API Discovery Problem Now Fixed? In a word, no. Any platform relating to API rating or discovery faces an uphill battle since most folks interested in APIs have already made adjustments to accommodate for the fact that there aren’t too many catalog services on the market. How’s that for a catch–22…? Exceptions include catalogs like APItracker.io, RapidAPI, or ProgrammableWeb’s API Directory. Cataloging almost 24,000 APIs, PW’s directory has become popular despite (or perhaps because of) a neutral approach that doesn’t evaluate individual APIs. Services like API.expert and API Discovery might be able to change that status quo because they’re doing things the right way. There are no playing favorites, no sketchy paid promotion, and no questionable or outdated APIs. They’re using benchmarks and safety scores, albeit in slightly different ways, to recommend APIs on their own merits. Despite the dominance that ProgrammableWeb currently enjoys as an API directory, there are no signs of information relating to security or metrics being added to the service any time soon. In that respect, both services above have their place in assessing the suitability and performance for both internal and third-party APIs.