APIFutures: API Sprawl to Be a Pressing Concern in 2024 Posted in DesignPlatformsSecurity Bill Doerrfeld January 11, 2024 API reliance is continuing to escalate across the board. And, in some situations, it’s getting out of hand. A 2021 F5 report estimated the total number of APIs worldwide (public and private) is approaching 200 million. We’ve also seen an increased emphasis on API governance lately, likely due to the need for more standards and oversight in the wake of such sudden API growth. 86% of developers surveyed by Nylas reported they anticipated their use of APIs to increase. And, in 2023, new threats like Improper Inventory Management and Unsafe Consumption of APIs made the OWASP API Security Top 10. To me, this demonstrates the growth in overall API usage and the fact that organizations aren’t always keeping an accurate inventory of the APIs they produce and integrate into their applications. In the immediate future, I anticipate large organizations running into more API sprawl issues. And in the coming year, addressing API sprawl will become more of a pressing priority for IT leadership. This will likely materialize in the form of more API governance and guardrails around internal API-related operations. Below, I’ll overview what sprawl is, what software architects should watch out for, and how they can respond. This post is part of APIFutures, a community-led, collaborative effort to identify the top challenges and opportunities facing the API economy in 2024. For other perspectives, be sure to read the articles by other authors listed here. API Sprawl: The What, Where, How, and Why Companies are using more and more APIs. Developers are wrapping APIs over databases, and teams are deploying applications built upon internal microservices. IT is also consuming various public API-based SaaS to avoid reinventing the wheel. They’re even externalizing their own APIs as fully-fledged products. In short, the number of APIs a single company manages continues to increase. For example, Rapid’s 2022 State of APIs report found that large companies with 10,000 or more employees tend to have over 250 internal APIs. But, likely due to pressure to deliver code faster, many of these APIs are going undocumented. Alarmingly, only 10% of organizations fully document their APIs, according to a 2023 report from Enterprise Management Associates (EMA). This is a scenario poised for sprawl issues. In the context of APIs, I see sprawl as a quick, half-hazard adoption of APIs without following best practices. Overwhelmed with an escalating number of endpoints and juggling all the different versions and support timelines, managing a widening API portfolio becomes increasingly hectic. This can be especially challenging for those who initially thought the API movement was just a passing fad early on and didn’t bake the right practices into their software development culture for the long run. To put it simply: If you don’t know what APIs you have in your portfolio, you may have sprawl. If you don’t know where your APIs exist, you have sprawl. If you don’t know how your APIs are doing, you might have sprawl. If you don’t know why your integrations are breaking, you might have sprawl. The Challenges of API Sprawl API sprawl presents several potential challenges for software development groups. For instance, developers may waste time navigating the spaghetti code of intertwined, undocumented services. Or, it may be the harbinger of forgotten zombie APIs that pose security threats. Here are some challenges API sprawl can bring a software organization. Poor Service Discoverability Amid tooling sprawl, the likelihood of having a comprehensive catalog of all your internal services begins to wane. APIs become much less discoverable, hurting internal reusability. A lack of API inventory management can have dire security repercussions, too, since you can’t secure what you don’t know, as they say. Fixing vulnerabilities hinges on knowing what APIs exist and where, and an unmanaged widening surface area becomes stomping grounds for hackers. Inconsistencies Between APIs Another outcome of a ballooning API portfolio is contending with disparate protocols and styles. Web APIs, as we know them, have been in development for roughly two decades. Many API design formats have emerged in this timespan, from SOAP to REST, webhooks, WebSockets, GraphQL, and asynchronous protocols. These paradigms were leveraged to suit different needs and technology stacks at various times. And, in a large company, developers are likely juggling a combination of both newer and more legacy formats. A lack of guidance around API style across an API inventory can prevent learnability and inhibit developer experience. Lack of Lifecycle Management APIs evolve, and major versions may alter their structures or request mechanics, causing breaking changes. Ungoverned API sprawl can produce a situation in which the state of APIs and their versions is not tracked well. Without well-documented versioning and deprecation information, you can have a fractured ecosystem with unclear support timelines. At the micro level, the issues caused by API sprawl can lead to a more chaotic software design culture and worsened developer productivity. At a macro level, unmitigated sprawl could affect the business by causing broken clients and outages for the end user, equating to a loss of revenue. Security threats stemming from sprawl issues could also lead to costly breaches, harming a business’ reputation and balance sheet. Opportunities And Solutions To Mitigate API Sprawl Okay, that’s a lot of doom and gloom. So, what are some potential solutions to avoid API sprawl? Well, the vendors will say you need some sort of unification layer or management platform to contend with API sprawl. While that may be helpful in certain situations, I’ll focus my advice below on some more general practices to help encourage better API standards across an organization to reduce the adverse effects of sprawl. Document your APIs: Document the APIs you develop and follow standard documentation guidelines. Include human-readable method descriptions, error messages, and sample code. (Here are good examples of API documentation). Assign people to support these APIs. (Documentation generation is one area where AI might assist in the near future). Keep an active API inventory: Keep an up-to-date internal developer portal that lists all the APIs your organization maintains and integrates. This may involve continual runtime analysis to generate an active inventory. A spreadsheet is better than no action at all, but ideally, this system is more dynamic. A functional API inventory will help with risk management and compliance, too. Have an API style guide: Centralize API design practices with an API style guide that outlines common conventions for your organization. You could also lint new APIs against this style guide as they are created. Use specification-driven development: This may still be a dream, even for API-first companies, but spec-driven development brings many benefits worth considering. Synchronizing documentation, SDKs, and production implementations with a core OpenAPI specification grants tangible outcomes for API management at scale. Automate API governance: Dedicate personnel to advance API excellence and knowledge-sharing. However, another option is to make API governance self-service when possible. This could be a tool that scans API specs to reveal flaws or automatically catalogs services, for example. Check out APIs.json: APIs.json is an interesting machine-readable specification that can help improve the discoverability of API operations and metadata. Plan for the long-term: On the provider side, many APIs are built without a plan for long-term maintenance and eventual retirement. Treat the service as a product, and set these policies upfront. Formalize feedback mechanisms: To encourage more collaboration, it’s good to incorporate other developers’ feedback as you iterate new interfaces. Taking this a step further, Google’s API Improvement Proposals is an example of an interesting API design guidance system. Final Thoughts One on hand, I’m very excited about the growing momentum around API adoption. And arguably, the current AI wave will only bring new APIs to the market. However, in 2024, I anticipate more emphasis on responding to the operational logistics of ungoverned API development and integration. Architects will have to deal with sprawl in some form or another. 2023 was a record year for API breaches. According to a FireTail report, API disclosures within the first two months of 2023 accounted for a potential impact of 49 million records. Inventorizing these APIs will be essential to increase visibility into the widening portfolio and potential threats therein. Sprawl rears its ugly head within a large organization with various siloed software development departments and a lack of communication. But, many of these issues can be overcome as API usage scales, with a collaborative culture that follows best practices concerning design, documentation, lifecycle management, and overall knowledge sharing. APIFutures is a creator-led initiative that brings together a diverse array of voices from the API community to identify the most significant opportunities and challenges facing the API community in 2024. Be sure to read the other APIFutures articles here. The latest API insights straight to your inbox