The API economy is evolving. We continue to see API use cases emerge across industries, from telecommunciations, to finance, retail, and elsewhere. In addition, new tools and tactics are being adopted to help software providers manage their growing API portfolios. Cutting-edge technologies like generative AI are posing both benefits and new concerns. And amid all this change, the API space is alive and well.

From April 30th to May 1st, 2024, the API community reconvened in New York City for the annual Apidays New York conference, an event that brought out hundreds of API experts and implementors to discuss the critical trends propelling the industry forward. A big focus for the event was the role AI is having across the API economy.

Below, I’ll explore some of the key takeaways from the sessions I was able to attend. From governance and security strategies to new management architectures, these themes represent just a cross-section of what today’s API thought leaders are tinkering with and exploring.

AI Brings Good And Bad

Large language models (LLMs) are offering numerous advantages to software engineering at large. Yet, AI isn’t without risk. In fact, a Stanford survey found that developers with access to an AI assistant “wrote significantly less secure code than those without access.”

Part of the concern is regarding hallucinations, which still present a major drawback for generative AI. In his opening keynote, Jeff Crume, a Distinguished Engineer at IBM, showcased how OpenAI’s GPT-3 is susceptible to contradiction and fabricating information. For Crume, trust and security in the era of generative AI will be challenging. “The world of AI and deep fakes is going to be really difficult for us going forward,” he said.

But just as AI can enable adversaries, it can also help inform API security postures. According to Corey Ball, Chief Hacking Officer at APIsec University, penetration testers can use generative AI to their advantage, especially with resources like Hacking APIs GPT, a ChatGPT plugin with robust prompts to perform API endpoint analysis and security reviews. In this manner, generative AI could help tighten up insecure endpoints that might expose sensitive information.

One way developers could use AI effectively is by employing it to learn about API concepts and write use case code — actions that S. Adeel Ali, Founder and CEO at APIMatic.io, describes as dynamic. This is opposed to API access code, which he sees as static and should rely upon a specification as a source of truth. Essentially, according to Ali, training AI on deterministically generated code could prevent hallucinations and streamline how developers consume APIs.

API Governance Helps Avoid Chaos

No discussion about API strategy feels complete these days without a take on API governance. And at Apidays, governance was a recurring discussion topic. In previous years, constructing APIs in various styles across an organization was less of an issue. But now that API portfolios have ballooned into the hundreds — if not thousands — many leaders realize they need more consistency across their inventory to avoid shadow IT and redundancy.

One interesting case study was shared by Dugald Morrow, Developer Advocate at Atlassian. Before Atlassian began its governance journey, API standards in Atlassian were “organized chaos,” said Morrow. Teams were generally autonomous and made their own processes with little consensus on standards. However, Atlassian realized standards were needed to reduce incidents and improve API changelogs.

To enforce standards, Atlassian built an internal automated governance framework baked into their git workflows. Although there isn’t 100% adherence yet, Morrow says their “extensibility standards” have already demonstrated positive results, reducing incidents and increasing customer satisfaction.

But what exact patterns should be enforced? API standards hinge on the right patterns for design. Author and advisor Mike Amundsen shared helpful tips from his book, RESTful Web API Patterns and Practices Cookbook, which compiles 75 API patterns and design practices. According to Amundsen, pattern thinking can help design more intelligent systems. His recommendations can be distilled into making services modifiable, making data portable, and making workflows flexible.

New API Management Architectures Are Emerging

Alongside the interest in governance, new modes of API management have begun to emerge. At Apidays, we learned about ways to orchestrate microservices for enterprise-grade workflows, such as Conductor, as well as new middleware, like Lunar.dev, which is focused on optimizing third-party API usage post-integration. In short, the API world is diversifying, said Mark O’Neill, VP Analyst at Gartner, who indicated how gateways have become more lightweight in recent years.

We have moved from full lifecycle management solutions into more “composable API management,” said O’Neill. In this new era, API management weaves together multiple best-of-breed tools for things like linting, testing, monitoring, security, monetization, and other areas. While not everyone is sold on the API bundling concept, it sure has sparked interest from commentators and analysts alike.

Regardless, the importance of APIs for the business cannot be understated, and easing the maintenance burden will go a long way to keeping pace. “APIs are the digital front door to your organization,” said James Higginbotham, consultant at LaunchAny and co-maintainer of the API Developer Weekly newsletter. “When teams are forced to figure out the API lifecycle every time a new API is required, expect slower delivery and misalignment with enterprise goals,” he said.

Banks Are Midway Through Their API Journeys

Although APIs are nothing new in finance, many banks are still midway through their modernization processes. For instance, one impressive refactoring initiative was detailed by Sheldon Schwartzenberger, Manager of Enterprise Applications at Prospera Credit Union. In 2023, Prospera began transforming its monolithic codebase into a more agile, decoupled API-driven system. They have been replacing their legacy API middleware using Gravitee and have reported an average request time decrease from 1000ms to 96ms.

Unsurprisingly for a tech event in New York City, many other financial institutions were represented at Apidays, including Capital One, Mastercard, Fidelity Investments, BNY Mellon, American Express, and others. However, what was interesting was that both regulation and the need for open integrations with third parties are spurring change across financial companies. “Customers want to share data with third parties, and they want to use third parties to manage their money,” said Kathy Wong, Head of Product for Export Aggregation, Chase. Enabling this will require establishing a high degree of trust to ensure secure data sharing and user privacy.

(Many) API Security Approaches Need to Evolve

Some development teams working in specific conditions will require a higher degree of security for their APIs. These include financial or healthcare environments dealing with sensitive data. At Apidays, Jonas Iggbom, Director of Sales Engineering at Curity, explained why hardening the access token is key to securing user identity. Your typical OAuth flows can only take you so far, which is why he advocates for the phantom token approach, which combines the secrecy of opaque tokens with the convenience of JWTs.

APIs are great enablers of digital innovation but are prone to many insecurities. In his Apidays presentation, Travis Spencer, CEO of Curity, outlined what he sees as the major risks: unsecured APIs, unauthorized access, and unsafe user experiences. For instance, broken object-level authorization, an all-too-common common API risk, can easily lead to information disclosures and data loss. For Spencer, securing APIs will hinge on a scalable, token-based zero trust architecture.

Thinking Bigger Than APIs

One insight I found particularly interesting (which is probably obvious to folks outside of the API space) was that software providers should think bigger than APIs. Sending developer portal visitors straight to the integration code may make sense for seasoned programmers. Yet, many other potential consumers, from project managers to low-code/no-code users, are interested in your API’s underlying capability, not so much how to construct a POST request or parse a JSON response.

In his talk at Apidays, Kristof van Tomme, CEO and co-founder of Pronovix, made the case why we shouldn’t be API purists. When it comes down to it, APIs are just a means to a functionality that could be abstracted and served to a consumer in various ways. As such, your developer portal should consider the entire interface portfolio, from plugins to web apps, no-code tooling, or other solutions. It’s worth noting that many top API providers are already doing this. “Once you’ve looked around, you’ll see solutions everywhere,” said van Tomme.

Thank You Apidays!

I’m really thankful to Apidays NYC for inviting me to join them on Day 2 to talk about the emerging trends we’re observing and covering on Nordic APIs. During the session with Mehdi Medjaoui, we delved into many of the topics above while keeping it cozy with a virtual crackling fire for our ‘fireside chat.’ It was a fantastic experience connecting with everyone at the event!

For those who want to dive deeper into what Nordic APIs is all about, here are some handy links to the resources I mentioned during our discussion. Consider it your introduction to Nordic APIs if you’re not already familiar with our community.

• Newsletter: If you want to keep up-to-date with API news and tips, follow the newsletter here.
• Writing: If you have an API story to share and would like to write for the blog, we welcome submissions from the API community! Information on contributing is here. I’m also happy to help review ideas.
• Events: Nordic APIs is hosting a couple of yearly summits: the Platform Summit in Stockholm and the Austin API Summit in Austin, Texas. Registration for the next event, The Platform Summit, October 7-9, is now open.
• Call For Speakers: Nordic APIs has a rolling call for speakers for our events. The submission form is here.