Net API Notes for 2021/07/14 - Issue 169
Net API Notes is a regular, hand-curated digest of impactful news and analysis for busy API practitioners. Are you reading this on the web and not subscribed yet? Sign up today and be the first to get ad-free, actionable info delivered weekly to your inbox.
The API Days Interface conference was the beginning of July. To their credit, they've already posted the session recordings to their YouTube playlist. When I wasn't packing for an upcoming move, I sampled the presentations. Here are my recommendations in this edition of the Net API Notes!
NOTES
HUMAN-CENTERED API GOVERNANCE WITH ARNAUD LAURET
STRAT / DESIGN
/ DOC / DEV & TEST / DEPLOY / SECURITY / MONITOR / DISCOVERY
Arnaud Lauret, the API Handyman, has been running API review programs for some time. In this presentation, entitled "Human-Centered API Governance", Arnaud does a wonderful job distilling his expertise in a powerful, concise message.
The entire video is worth enjoying, but there were two particular areas I wanted to comment on. The first is the fine line between lending expertise and dictatorial decrees during an API design review. Arnaud says around the 13:35 mark:
"But beware: these reviews can turn into a counter-productive trial if you are not careful. A design review is not about policing and beating up on the people because their design is breaking or non-compliant, or worse, it sucks from the reviewer's perspective. An API design reviewer is not the inquisition of API design... Being an API design review is more about being a consultant; helping people identify their needs."
To these ends, Arnaud recommends replacing a design gate (a hard stop requiring a design review before a team may proceed) with a workshop. The purpose of the workshop is to design the API together.
The other aspect that strongly resonated with my own experience was the purpose of API governance. As Arnaud describes, doing his job as a teacher and mentor correctly means that he would no longer be needed; rather than feeding a dev a design, he has taught them how to design.
In my case, I was asked what the long-term vision was for my API Center of Excellence team several managers ago. I replied in much the same way: my vision was to create self-sustaining processes, quality-rewarding behaviors, and feedback improvement loops. If we reached that point, then requiring "experts" to stand between an idea and a production environment would no longer be necessary. My long-term vision was to make my group redundant.
Unfortunately, this particular manager placed a high importance on headcount and budget growth. Those were used to justify title promotions and salary growth. The priority was to justify hiring more fishermen to grow the group (and its stature), not teach others to be self-sufficient. A threat to that, however well-intentioned, was not well received.
(Some professional advice from the "obvious-things-that-Matt-learned-the-painful-way" file: when the manager is hyper-focused on the growth story, don't point out that growth-for-growth's-sake isn't healthy, it's cancer; that's not a great move, even if it is honest. There are better ways of influencing leadership than making your boss's beliefs the subject of a sick-burn. Thanks for coming to my TED-talk.)
10 KEYS FOR TURNING APIS INTO A JOB PROMOTION
STRAT
/ DESIGN / DOC / DEV & TEST / DEPLOY / SECURITY / MONITOR / DISCOVERY
Brenton House may have had one of the most popular, well-liked videos of the entire event. In his talk, he discussed "10 Keys for Turning APIs Into A Job Promotion".
What I liked about this presentation how much Brenton emphasized the storytelling aspect of APIs. To broker change within an organization, it is not enough to create some great tech. It is incumbent on the change-maker to connect what they can do with how this impacts others. It requires bridging the communication gap between API possibilities and the organization's needs.
Benton lists a number of these areas where communication is necessary and outlines the next steps. This is a presentation I don't see enough people taking advantage of in their work. Will it get you that promotion? By the number of video likes, quite a few people seem to think so.
TWILIO'S JEFF LAWSON IN A FIRESIDE CHAT
STRAT
/ DESIGN / DOC / DEV & TEST / DEPLOY / SECURITY / MONITOR / DISCOVERY
Speaking of storytelling, an API Days conference highlight was a fireside chat with Twilio's Co-Founder and CEO, Jeff Lawson. Jeff is highly charismatic and could probably be entertaining while reading a list of Twinkie ingredients. However, he shares how "Ask Your Developer" went from a puzzling Silicon-Valley billboard to a published book.
MILESTONES
- BOLA STRIKES AGAIN! This time, Coursera's API allowed someone with a valid login unfettered access endpoints related to others' accounts. There have been many of these recently ( Facebook, Peloton, and John Deere, to name a few). Remember, just because a user is authenticated doesn't mean they're authorized to call whatever endpoint they can dream up. More on Broken Object Level Authorization (BOLA) here.
WRAPPING UP
Friends, it is that time for The Postman 2021 State of the API Survey! Reading the results from this has always been a great source of insights for these notes. However, what is different this year is that, this time, I've been able to influence some of the questions asked! I'm testing several hypotheses, and I NEED YOUR THOUGHTS.
It's quick and painless. More importantly, your experience matters. Make your voice heard. Fill out the 2021 State of the API Survey here.
On my blog, I've discussed the importance of software environments in creating behaviors. That includes template defaults. ADP's Boris Vernoff, in yet another API Days talk, demonstrates how they use software constraints in their API design process to achieve desired outcomes. Worth checking out.
I'll end, as always, with gratitude to my Patreons. Your help ensures that this newsletter is free of advertising, information selling, or paywalls. The community benefits from your generosity.
Till next time, Matthew
@libel_vox and matthewreinbold.com
While I work at Postman, where smiley-face emojis outnumber frowny-faces 100-to-1, the opinions presented above are mine.