Net API Notes for 2022/05/10 - Issue 197

It is going to be nearly 80 degrees in the wild north today. Before I tear off my stocking cap and sweatshirt to go frolicking among the meadows, let's do some notes!

Net API Notes is a regular, hand-curated digest of impactful news and analysis for busy API practitioners. Are you reading this and not subscribed yet? Sign up today and be the first to get ad-free, actionable info delivered directly to your inbox.



At one time or another, most of us have talked about "the API vision". But what does that mean in practice? Beyond sounding professional, what does a vision look like?

Examples of an API vision are few and far between. However, the UK's National Health Service (or NHS) has impressive API documentation available on its website. Not only is there the usual list of API endpoints and getting started info, but they provide an array of context that often is missing from API efforts. These are things like:

The NHS API strategy has been described as "exemplary" by the UK's Government Digital Service for their efforts. If you've been looking for a way to articulate your organization's API vision, the NHS is a great example to learn from.

A thank you goes out to Joyce Stack, who brought this to my attention.



After more than a decade, I think most folks could articulate what an API gateway is (it is something that sits between all API calls and backend services, often performing some basic management, and then returns the result). Being a bit more recent, a service mesh may initially seem like that same thing - a proxy for facilitating service-to-service communication. When do you use which?

Anita Ihuman has a great post on the Ambassador blog explaining precisely that. The post does an excellent job explaining the challenges of service discovery, and how both API Gateways and Service Meshes tackle it. Explicitly detailing the similarities and differences between both approaches was also welcome.

If you're currently working through service discovery in your org, this article might help.


Google Cloud's Vikas Anand and David Feuer recently released a joint blog post covering seven trends for the API economy. Some, like "moar microservices" and "conversation APIs go mainstream", are a bit ho-hum.

However, two areas caught my attention and both had to do with security. In one case, Vikas and David predicted the end of shadow IT, or APIs that provide ingress/egress of a company's data assets without other groups (cyber, risk, legal) being aware. As companies are increasingly called to account for how data is handled, those "quick" doorways punched through the firewall for the marketing survey (for example) are increasingly untenable.

The other security item was a prediction of how companies will embrace a zero-trust defensive posture; meaning, what used to be considered "safe" traffic inside the firewall is increasingly expected to exhibit the same security practices as those exposed outside the company. Does that represent a significant change from your current practice? Let me know - I'd love to hear more about where people are.


  • Drupal remains one of the most popular CMS systems. In late April, they patched several API vulnerabilities. Users are advised to update these "moderately critical" vulnerabilities as soon as possible.
  • Somewhat related is the publishing of RFC 9116, or "A File Format to Aid in Security Vulnerability Disclosure". The RFC 'defines a machine-parsable format ("security.txt") to help organizations describe their vulnerability disclosure practices to make it easier for researchers to report vulnerabilities.' It is a great idea that I hope takes off because it provides a significant improvement over the previous convention.
  • After nine years, David Berlind is leaving ProgrammableWeb. That's an impressive run in any context, but doubly so in software.
  • The Austin API Meetup is coming back! When I first started, the Austin meetups were one of the most reliable activities I could count on being there - something notoriously rare in volunteer community efforts. I was saddened to see such an "institution" fade away as the pillars became busy with other things. But now it's back! Hooray! (And while I'm mentioning, I wanted to have a special hat-tip to Shai for letting me know I had a malformed link in the last newsletter. THANK YOU!)


While there wasn't an email last week, it didn't mean that I was idle. First, I appeared as a guest on the APIs Unplugged podcast. I discussed complexity and systems thinking in API systems along with hosts Matt McLarty and Mike Amundsen.

Next, I'm happy to share that I'll be speaking at several events in June. The first will be Pronovix's Online Applied Complexity Conference on June 15th. The next is the 2022 Minnesota Developers Conference on June 22nd, a local event for me. On June 23rd, I'll also be presenting remotely at the Carmax Internal Developer Conference.

The topic for all three events is "Seven Skills To Change Complex Systems And Save Software". I remain committed to supporting online and local talks rather than returning to in-person events for several reasons. At least for the time being, that seems to be working.

Looking for an API meetup or conference event? Give a look. I should have the NoFluffJustStuff Software Symposiums added shortly.

And now, this newsletter's Patrons deserve a spot of praise. Their support keeps these email issues free of ads, paywalls, or information selling. Thank you!

Till next time,

Matthew @libel_vox and

While I work at Concentrix Catalyst, that sunny afternoon napping spot by the window, the opinions presented above are mine.

Subscribe to Net API Notes

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.