And that’s a wrap! Last week’s Platform Summit 2023 gathered 40+ speakers and 250+ attendees to discuss various API-related topics. We had a good turnout, featured some excellent speaker sessions, and we saw a lot of great discussions during the networking breaks.

Seeing so much enthusiasm around API-based development after years without physical events was inspiring! Not to mention, having delicious food, bottomless coffee, and an ABBA cover band helps set the mood a bit, too. 😉

We’ll cover some of our favorite sessions in dedicated articles throughout the coming weeks. But in the meantime, I wanted to collect some of the main takeaways from the keynotes and sessions I was able to attend. Let’s review some of these key insights below.

Many Sectors Are Embracing APIs

APIs are more relevant than ever. We are seeing this play out in various sectors, but the financial industry is arguably leading the pack. Open banking is a global phenomenon spurred by different open banking standards emerging worldwide.

But open banking requires 24/7 attention and “total professionalism,” said Gunnar Berger, Head of Open Banking at Nordea. Usage of Nordea’s PSD2 services and API products has skyrocketed since they were first debuted — they’ve onboarded 300 third parties and now process over 50 million API requests per month.

Open banking is a curious space where regulation is actually influencing innovation. APIs are a revolution and represent the new way of embedded banking going forward. As such, Berger is pushing his team to deliver the best developer experience possible. With excellent developer experience, “half of the battle is already won,” he said.

After technology and IT, sectors where developers are most commonly using APIs include finance, healthcare, education, retail, and gaming. Source: Postman 2023 State of the API Report.

API Governance Needs a Light Touch

Governance around APIs can be kafkaesque, said Arnaud Lauret, API Governance Lead at Postman. Without common development standards, what you have learned before is useless — you must start from scratch again. But, manually enforcing complex, out-of-touch standards wastes time and effort for all involved.

API governance is not about rules or yelling at people. Instead, you should aim for realistic, user-friendly governance that adopts automation, like linters for scanning OpenAPI documents, documentation generators, or complete lifecycle management, to make people as autonomous as possible. API governance is about “helping people with a holistic approach to maximize API-generated value,” he said. His central message: Don’t be the API governance “fireman” from Fahrenheit 451 enforcing rules. Instead, guide developers with wisdom, like Miyagi from Karate Kid.

Arnaud Lauret, API Governance Lead, Postman, presents his keynote ‘Demystifying API Governance: Building Success Through Understanding‘ at Nordic APIs Platform Summit 2023.

Decentralized Identity Evolves API Security

Consider the hundreds of digital services you interact with on a daily basis and their underlying microservices and APIs. To access these services, personally identifiable information (PII) is constantly shared with these parties, often unnecessarily putting users at risk for data breaches and attacks.

A big shift is coming that will permanently change how we deal with user identity online, predicted Jacob Ideskog, CTO at Curity, in his afternoon keynote. This is known as decentralized identity, an alternative paradigm in which users have more control over their personal information. Unlike traditional systems, decentralized identity doesn’t require users to store personal identity information in a single database or central location.

A decentralized identity architecture can reduce friction and risk for all involved and will hinge on interoperable methods to share and issue credentials. Since decentralized identity has many ripple effects on how we handle digital identity within API security and authorization, we’ll be following this space closely as the standards and solutions evolve to address it.

Jacob Ideskog, CTO, Curity, presents his keynote ‘Decentralized Identities Changes Everything, Even Your APIs‘ at Platform Summit 2023.

Sometimes You Need SDKs, Sometimes You Don’t

Developers don’t need SDKs to integrate with APIs, said Sidney Maestre, VP of Developer Relations at APIMatic.io (quite ironically, as his company is known for generating SDKs!). SDKs might not be necessary if you’re still early on, still proving value, only service a handful of developers, or aren’t overseeing many endpoints.

But of course, there are certain cases where offering SDKs does make a lot of sense. For example, if you’re trying to decrease time to Hello World, if your key users are asking for SDKs or code samples in specific languages, or if the community is already building them independently. On that note, Maestre doesn’t see the harm in allowing community-supported and official SDKs to persist together.

Also, it’s interesting to note that SDKs are common regardless of industry type. Research from SDKs.io also found that the most common programming languages for SDKs are, in descending order, TypeScript/JavaScript, Python, Java, Ruby, PHP, Ruby, PHP, C#, and Go.

Taken from an SDKs.io study that surveyed 100 companies that offer SDKs to discover trends.

Plan For Externalization Early On

We’ve been recommending the API-as-a-product approach for years. But, why treat an internal API as a product? Well, one academic study entitled How APIs Create Growth by Inverting the Firm found that firms using APIs found 12.7% more market capitalization growth compared to competitors that did not adopt an API strategy.

In his keynote, Jason Harmon, CTO of Stoplight (a SmartBear Company), outlined the benefits of an API-as-a-product strategy as well as tips to get it right. Some of my favorite recommendations were:

• Don’t test in isolation! Test in scenarios that test the connected real-world customer use cases.
• APIs are more than technical artifacts. The future of APIs is all about product management.
• Pick something and ship it! Get something out to prove value, and don’t attempt to boil the ocean from day one.

Jason Harmon, CTO, Stoplight (acquired by SmartBear), presents his keynote at ‘API-as-a-product: The Key to a Successful API Program‘ at Platform Summit 2023.

Authorization Is A Top API Security Requirement

The updated OWASP list for API risks cites many issues related to broken access control and authorization. It’s no surprise, then, that our API security track and roundtable discussion had a big API authorization emphasis.

Arguably, API authorization is so challenging simply due to the complexity of the backend. As Anders Eknert from Styra explained, each service often has its own programming language and handles authorization in its own unique way, producing its own unique bugs. OAuth is a core element for securing access, but he recommends Open Policy Agent (OPA) for storing more fine-grained policies as rules you can ask to determine authorization decisions.

Our API security roundtable discussion featured (from left to right) Malcolm Sparks, Judith Kahrer, Erik Nordlund, and Anders Eknert. Moderated by Bill Doerrfeld.

GraphQL Brings Consistency And New Vulnerabilities

GraphQL is not better or worse than REST, said Jens Neuse, Founder of WunderGraph, they just focus on different things. Yet, he does note that “the average developer builds a better GraphQL API than a REST API.” And the benefits of using GraphQL go beyond simply avoiding underfetching or overfetching.

Neuse likes GraphQL for its field-level analytics and monitoring, the vibrant community surrounding it, the ability to federate a schema, and the consistency of the documentation it generates. On that last note, SpectaQL is an easy way to automatically generate GraphQL documentation as part of a build/deploy process, demonstrated by Christopher Newhouse.

However, these benefits come with a grain of salt since new vulnerabilities are emerging around GraphQL. Impressive research from the Escape team found nearly 50,000 vulnerabilities after scanning 1,600 public GraphQL APIs. The topmost common vulnerability is brute-forcing the HTTP layer. Since GraphQL batches multiple queries into a single HTTP request, hackers could bypass API rate limitation if it’s conducted at the HTTP layer. Other common risks include denial of service and internal API schema leaks.

In our packed GraphQL track, Antoine Carossio and Tristian Kalos from Escape showed data collected by an Escape study on GraphQL vulnerabilities.

Miscellaneous Insights

AI will soon shape how we interact with APIs: With advancements in AI, API providers could enable natural language prompts for understanding API documentation and automatically creating requests, an interesting potential AI use case suggested by Zdenek Nemec, Founder and CTO of Superface.

Target developer empathy for the best API experience: Consistency is a top struggle when working with API documentation. “Developer empathy is not just a word on the wall,” said Gertrude Westrin. It’s real, and consistency in documentation will enhance this developer experience.

Consider using OpenAPI specifications as a source of truth: Following an OpenAPI specification is like reading sheet music: it keeps all performers (developers) on the same page, said Brett Bush. But what happens when teams are out of sync with the spec? To fix this issue, Bianca Lisle and Reuben Harrison presented oasdiff, which can help check for breaking changes in OpenAPI specifications.

See You At Austin API Summit 2024

We were overjoyed to renew the Platform Summit after a four-year hiatus from physical events! Thank you to all our stellar speakers, the attendees who participated in great discussions, and the sponsors for helping make the event possible. Huge thank you to the event crew and Curity team for organizing such a well-oiled event.

The good news is our next Summit is already on the books. We’ll be reviving the Austin API Summit next year in Austin, Texas, March 11-13, 2024. Registration and call for speakers is already open.