Net API Notes for 2021/03/11 - Issue 155
Hello everyone! We are being treated to absolutely glorious spring weather in the Northern Virginia area after a truly miserable winter. However, before I run out for a walk, let's get to the latest batch of notes!
NOTES
IS DOMAIN DRIVEN DESIGN (DDD) OVERRATED?
At the beginning of this month, Stefan Tilkov put on his grumpy pants and published DDD is Overrated. Given that finding useful boundaries is a chief concern for system architects, particularly those building microservices, DDD is familiar to many API folk; in other words, that's kind of a big deal. So why does Stefan think it is overrated?
"if all you’re doing is applying the by-the-book definition of existing DDD terms, and trying to shoe-horn any problem into this existing structure, yours is a very sad designer’s life."
That makes sense if a bit arch. Anytime you apply the wrong tool to a situation, the results will be subpar. Alberto Brandolini, the creator of the Event Storming method, challenged Stefan over Twitter on a few of his points. Alberto is quick to point out that domain-driven design is not nearly as prescriptive as it used to be (which was news to me).
Like is so often the case, the "hot take" is less valuable than the civil, principled disagreement that it generates.
STATIC APIS?!
Corey Butler recently proposed an intriguing idea: static APIs. As the name implies, a static API returns pre-generated assets: JSON, XML, etc. Because these assets are static, they then could be safely hosted by a content delivery network (or CDN).
Corey parallels the benefits of static APIs with the benefits of static websites. These include:
- Reduced cloud computing costs
- Simplified data architecture and management
- Faster and more resilient scaling
But what about writes? Is an API useful if it is read-only? Having attended meetups in the Washington, DC area for several years, the answer is an emphatic yes. Standardized, machine-accessible data is heads-and-tails better than what so many public datasets have had in the past. Even now, in 2021, so many useful insights remain behind manual, one-off request processes.
That said, the underlying data will require changing. In his piece, Corey explains how this process works in his architecture. It reminds me of the CQRS architectural pattern (although Corey doesn't allude to that).
REFRESHING JSON WEB TOKENS (JWTS)
Non-fungible tokens (NFTs) have been all the rage in the tech press recently. (All those bitcoin millionaires have to have some outlet for their newly minted wealth, even if it a slightly less embarrassing version of cryptokitties 2.0.) But let's talk about tokens that are actually useful: JSON Web Tokens or JWTs.
Curity has created a fantastic JWT primer. JWTs are used as access tokens, ID tokens in OAuth, and OpenID Connect flows. However, there's no reason tokens have to be limited to those common occurrences. Anytime a JSON message needs to be exchanged between two parties in a compact, URL-safe way, a JWT might be a viable option.
Whether you're just starting out using JWTs or are an old hand, give the article a look.
MILESTONES
- Okta acquires fellow API identity management company Auth0 in a $6.5 billion, all-stock deal.
- Stephen Mizell and Emmanuel Paraskakis have launched a dedicated API job board, APICareers.com. They're just getting started, but if you are looking for API people, or are an API person looking for a job, give the site a look.
- Stitch, an African fintech, emerges from stealth with a $4 million seed round.
- OWASP, the online security community, has released a GraphQL cheat sheet. Remember, just because the requests still are over HTTP does not mean the threat model is the same as REST-ish APIs you may be familiar with.
- Speaking of security, new API security research into healthcare apps showed that 77% of applications had hard-coded API keys, tokens, or credentials (among other things). Uff-da.
- AsyncAPI posted their thinking behind their community foundation charter.
- Amazon's Werner Vogels had a wide-ranging conversation with ACM on AWS. Buried in the text was this nugget about APIs:
"You have to be really consciously careful about API design. APIs are forever. Once you put the API out there, maybe you can version it, but you can't take it away from your customers once you've built it like this. Being conservative and minimalistic in your API design helps you build fundamental tools on which you may be able to add more functionality, or which partners can build layers on top of, or where you can start putting different building blocks together. That was the idea from the beginning: to be so minimalistic that we could allow our customers to drive what's going to happen next instead of us sitting in the back room thinking, 'This is what the world should look like.'"
WRAPPING UP
A week ago, I sat down with the fine people from Toro Cloud to talk API Governance, digital transformation, and the cultural bits in-between. Having listened to the final result, I'm proud of how it turned out. You can listen to it online or search for the 'Coding over Cocktails' podcast in your catcher of choice.
Also, as a reminder, I'm looking to do another mailbag in a future edition of the notes, much like last year. If you have questions on the API industry, API design principles, or API governance, let me know.
Also, API events are still happening! You can find the list at NetAPI.events.
Finally, thank you for your attention and to the Patreons who enable this newsletter to remain ad-free! That means a lot to me. And, based on the subscription numbers, others too!
Till next time,
Matthew @libel_vox and matthewreinbold.com