Why API Gateways Should Be Programmable

Why API Gateways Should Be Programmable

Posted in

If you’re an API developer, there’s a high chance you like your tools to be programmable. Programmability is not just standard in HTTP API requests to popular SaaS tools — it’s also a core element of today’s DevOps practices, like git and infrastructure as code. So, shouldn’t the technology we use to manage our APIs also be just as configurable?

According to Josh Twist, CEO of Zuplo, a programmable API gateway, typical API management solutions usually get you about 80% of the way there, but stop short of becoming genuinely customizable frameworks. “It’s a shame so many don’t offer a simple, intuitive programming environment,” he says. Each API is unique, catering to various consumer roles and business models. As such, API owners often want more granular control over areas like monetization, rate limiting, security policies, and other areas.

I recently synced with Twist to understand the benefits of inserting this sort of programmable logic in the API gateway layer. Below, we’ll consider the current state of API management, the benefits of making API gateways more programmable, and what sort of workflows a higher degree of programmability could enable for savvy API developers.

State of API Management and Gateways

Josh Twist

Josh Twist, co-founder and CEO of Zuplo.

Before starting Zuplo, Twist shared that his development team at a previous company would purchase an API management solution, deploy it, and then code a homegrown middleware to enable the sort of customization they required. “Why don’t we empower developers with that superpower to write native code?” he asks.

Flash forward to today, and most API management platforms have added some sort of programmability to a varying degree. Yet, not all of them rely on open standards or are extensible, not to mention usable, explains Twist. In the market today, what sets them apart is the degree of programmability.

The concepts of ‘API management’ and ‘API gateways’ are often used interchangeably. However, as Twist notes, the most essential element of an API management platform is the gateway at its core. Whether you’re using Istio or NGINX, it takes a unique set of skills to operate things like policy creation or fine-grained rate limiting. That said, customization at the gateway layer can bring countless benefits to API providers, says Twist.

Benefits of Programmable API Gateways

If things aren’t customizable, “you’re forced to think of the world as one model,” says Twist. Where API management is concerned, this could stunt abilities like introducing variable business logic for various consumer types or configuring smarter routing based on network conditions.

Also, a big benefit of programmability is speed: a headless style means developers can stand up a gateway and configure it in a matter of seconds. Or, they can integrate it within their existing internal development workflows. Twist shared some other areas where greater programmability at the API gateway layer could specifically benefit API development and operations.

Variable Rate Limiting

As Twist says, API rate limiting is a subtle art. You can rate limit API requests in many ways — either globally, by IP address, by user, or through custom functions. Being able to dynamically adjust rate limits for APIs means you can set thresholds for a wide array of roles and conditions.

Intricate Monetization

A driver behind many public API initiatives is to create a profitable business model. But, API monetization is more complex than you might think. Programmability at the gateway layer can help set intricate monetization models, ranging from standard per request or monthly quotas to variability upon the complexity or bandwidth of individual calls.

Smarter Routing

Programmable gateways can also enable smarter routing for API requests. Essentially, when a request comes in, it could be programmed to call a service to determine which cluster of services to route it to. Twist sees this capability as especially advantageous for early-stage AI companies.

Shortening The Feedback Loop

You shouldn’t have to submit a Google form to make changes to the gateway. Instead, Twist advocates treating API management the same way developers operate with other tools — using an infrastructure-as-code approach with configuration scripts. This can increase developer autonomy and productivity, he says.

Governance and Compliance

Programmable API operations could also benefit governance and compliance, says Twist, enabling a script-like experience for unique policy creation. A process that supports git and popular DevOps tools can also integrate better into linting and security testing workflows. For example, this could mean triggering Spectral rules to be tested as part of each pull request, which could flag warnings and errors about non-compliance.

Customizable Developer Portals

Something cutting-edge is the idea of programmable developer portals, which Zuplo is currently spearheading, says Twist. This can enable developers to add routes and deploy new environments with dedicated documentation. Generating documentation on the fly is also a great way to obtain quick feedback and collaborate with real-time API testing, he says. Custom developer portals could also help segment access to specific areas of a larger API portfolio, helping avoid oversharing information.

Composable With Sensible Defaults

Many API management platforms and their gateways aren’t that advanced, leaving developers wanting a more customizable framework, says Twist. That said, you want to ensure presets are in place. Programmability is great, but having default options for areas like role-based access control, rate limiting, or monetization is an important foundation.

In general, a more customizable API gateway could replace some GUI-based full lifecycle API management solutions, which some commentators see as becoming more unbundled in recent years. Yet, it seems like the key here will be balancing the desire to program custom logic with the ability to generate default rules on the fly. Developer tools like API gateways should be “highly composable with sensible defaults,” says Twist, who has been sure to embed this product philosophy into his work.

As with many things in programming, finding the right level of abstraction for your needs is a moving target, but one that is getting easier as the technology around API management advances.