Net API Notes for 2022/04/21 - Issue 196

The continued rain has meant that I haven't been able to get outside and toss the softball with my girls. API news has no such problems, however. Here's the latest pitches that I've had come my way.

Net API Notes is a regular, hand-curated digest of impactful news and analysis for busy API practitioners. Are you reading this and not subscribed yet? Sign up today and be the first to get ad-free, actionable info delivered directly to your inbox.

NOTES

GRAPHQL AT MAJOR LEAGUE BASEBALL

STRAT / DESIGN / DOC / DEV & TEST / DEPLOY / SECURITY / MONITOR / DISCOVERY

Olesya Medvedeva and Matt Oliver recently were featured in an InfoQ presentation recap. Together, they presented how GraphQL was used in Major League Baseball (MLB).

Olesya and Matt shared how MLB had several services, which subsequently led to various "mashups" - teams consuming APIs, removing some data while enriching the response with others, and then exposing new APIs. These mashups were highly tailored to provide specific experiences. However, they created discovery and maintenance issues over time due to their high degree of coupling.

MLB's solution was to insert GraphQL as a proxy between the services and consuming applications. You can read more about their solution in the InfoQ coverage.

(I believe that InfoQ mistakenly misspelled Olesya's first name as "Olessya" in their piece. I've contacted them about getting that corrected.)

EQUINOR'S API STRATEGY

STRAT / DESIGN / DOC / DEV & TEST / DEPLOY / SECURITY / MONITOR / DISCOVERY

Equinor is an energy company based in Norway. Recently, they took the bold step of publishing their API strategy on Github. There, it joins their API Guidelines.

Without a strategy, APIs can become a happenstance of regular business operation rather than a managed asset. If your company lacks a coherent API strategy, you could do far worse than starting with Equinor's guide as an example. I like this publicly posted declaration a lot.

In particular, the categorization framework Equinor outlines is notable. Rather than treat all APIs as the same - something that can be prohibitively expensive in terms of risk oversight and governance - they categorize APIs into four different classes: app-internal, internal, partner and public. Based on this consumption scope, companies can then make more informed decisions with their limited resources.

THE LATEST API SECURITY TRENDS

STRAT / DESIGN / DOC / DEV & TEST / DEPLOY / SECURITY / MONITOR / DISCOVERY

The last mention is Erik Wilde's API security chat with Noname Security's Filip Verloy. In the YouTube recording, they discuss several trends in API security, including:

• The "Shift-Left" in security initiatives, applying scrutiny to APIs during the development lifecycle rather than waiting until they're in a higher environment
• The potential gains from observability
• How centralized awareness appears at odd with federated, autonomous teams

Considering the rise in security concerns in many software shops, I imagine these are familiar conversations for many folks.

MILESTONES

• [Last issue], I lamented the purchase and subsequent debasement of HTTPStatuses.com. Well, David Biesack went and forked the repo, scrubbed it, and has posted his own restored version for the community. Nicely done. There is the WebConcepts Status resource, as well.
• ngrok had a big announcement. The localhost tunnel announced "simple integration with IDPs, OAuth providers, SIEMs, webhook verification and tons more".
• SmartBear acquired Pactflow. Pactflow was a company that tests APIs and microservices.
• HTTPStat.us is an interesting tool for simulating long running requests.
• Back at the end of 2020, I went deep on the API implications of LinkedIn's anti-scraping lawsuit. The case went to the Supreme Court, which subsequently kicked it back down to the U.S. appeals court. Finally, after all that, the verdict is in: scraping publicly accessible data is legal.

WRAPPING UP

Looking for an API meetup or conference event? Give NetAPINotes.events a look. I should have the NoFluffJustStuff Software Symposiums added shortly.

And now, this newsletter's Patrons deserve a spot of praise. Their support keeps these email issues free of ads, paywalls, or information selling. Thank you!

Till next time,

Matthew @libel_vox and matthewreinbold.com

While I work at Concentrix Catalyst, a dry spot beneath the eves during an unexpected spring shower, the opinions presented above are mine.