Introduction to web ap is

© 2013 IBM Corporation

Introduction to Web APIsRachel Reinitz, IBM Distinguished Engineer, ISSW

Dinesh Shetty, Senior Certified IT Specialist, ISSW

2678

22 © 2013 IBM Corporation

Please Note

IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion.

Information regarding potential future products is intended to outline our general

product direction and it should not be relied on in making a purchasing decision.

The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated

into any contract. The development, release, and timing of any future features or

functionality described for our products remains at our sole discretion.

Performance is based on measurements and projections using standard IBM

benchmarks in a controlled environment. The actual throughput or performance

that any user will experience will vary depending upon many factors, including

considerations such as the amount of multiprogramming in the user’s job stream,

the I/O configuration, the storage configuration, and the workload processed.

Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.


Agenda

•API Economy – Understanding the space

•Top APIs today

•Industry Examples of Web APIs

•Terminologies, Roles & Relationships

•Fundamental Concepts - REST, XML & JSON

•API Styles

•Web API Use Cases – Internal & External

•API Security

•Caching


Exploding and InterconnectedDigital Universe

33% of all new business software

spending will be Software as a Service

1 billion

workers will be

remote or

mobile

1 trillion connected

objects (cars,

appliances,

cameras)

� 1B Mobile Internet users

� 30% growth of 3G devices

Embracing New Technologies, Adopting New Business Models

Mobility

Cloud / Virtualization

Social Business

Bring Your

Own IT

Large existing IT

infrastructures with a

globalized workforce,

3rd party services,

and a growing

customer base

30 billion RFID tags

(products,

passports,

buildings,

animals)

Cloud, mobile analytics, and social are fueling the hyper-growth of API-centric, business as-a-service economies


Example players in the new services economy

Business functions delivered as API-centric services, enable businesses to co-create customer value with speed and scale

“As-a-service” is disrupting the traditional business models and the technology consumption paradigm

The evolution of SOA into technologies like REST allows for

the externalization of core services through consumable APIs

Trend established in web-centric companies, and enterprises

are beginning new solution creation patterns – it changes the

interaction patterns and processes across businesses and

leverage analytics, mobile, social and cloud to differentiate

Agile, scalable, and consumable business as-a-service, APIs

is shifting the application development market as Cloud

similarly shifted delivery of IT

Transform the business model along sales, contracts,

engagement, processes, development, and delivery towards a

new scalable model

$1.5B revenue of 10K+ affiliates

Expecting $10B mobile transactions in 2012

40% total units sold by outside sellers

40% new business comes from non-CRM offerings

API only company reaches 150,000developers and1.5M calls a day


�API-centric model is at the

core of mature born-on-

the-web companies like

Amazon, Google, and

facebook

�Registrations in

Programmable Web have

more than doubled this

year. At that pace we could

see more than 100,000

APIs registered by 2016.

�By 2014, Gartner predicts

that 75% of Fortune 1000

companies will expose

some form of APIs

+80B API Invocations per day APIs registered across amultitude of business areas

0

50000

100000

150000

200000

250000

300000

2004 2006 2008 2010 2012 2014 2016 2018 2020

Projected +300k APIs by 2020

We are here!

All Fortune 1000 companies will have APIs by 2015

APIs as a strategic business tool for value co-creation and front-office digitization is growing in Fortune 1000 companies


Apps, APIs and API Mgmt…

Business Owner IT

Developer

Consumers

New business opportunities

• New markets

• Increase customers

• Enhance branding

• Competitive advantage

Extend development team

•Increase innovation

•Increase scale

Partner/supplier

alignment

BenefitsBenefits

ChallengesChallenges

Business strategy

Infrastructure

• Security

• Creation

• Scalability

Operational control

• Publish

• Analyze

• Monitor


Public, Open-To-All APIs

Protected, Open-

To-Partner APIsPrivate, Internal

APIs

• APIs are open to any

developer who wants to

sign up

• Apps are more targeted

towards end consumers

• The business driver is to

engage customers through

external developers

• APIs are open to select

business partners

• Apps could be targeted at

end consumers or business

users

• The business driver is

usually different, based on

the data and type of

business of the enterprise

• APIs are exposed only to

existing developers within

the enterprise

• Apps are usually targeted

at employees of the

enterprise

• The business driver is more

around productivity of

employees

Customers will require a combination of three API types


Consumers are Internal and External

developers

Consumers are Internal (and maybe partner)

developers

Embracing of open community/social

business is critical

Promote reuse within a company and

sometimes with partners

REST, leverage HTTP for Internet scale SOAP & protocol independent headers

Easy of use based on simplicity and

readability

Interoperability and tooling consumption

based on WSDL

Fine grained, small amounts of data Coarse grained

Relaxed consistency Option for transactionality & reliability

True ‘black box’ separation between Web

API and consuming app; simple contract

More extensive contract between service

provider and consumer… in enterprise

implementations

Web APIs are Different from SOA Services


Top APIs today

Industry Examples of Web API

10


Top APIs today.. and growing

8000 APIs and counting

*Source: programmableweb.com

Top APIs today

Right now!


Philips hue API: Wireless Lighting

• Provides wireless control of domestic lighting systems along with mobile apps

• Opened an official developer program

• Recognizes roadblock for bigger developers - lack of commitment and proper docs

Source:http://techcrunch.com/2013/03/10/philips-hue-lighting-sdk-ios/

“Now what we want to do as Philips is we actually want to help and grow and encourage

this community, and give them tools and proper documentation. Also, we want to give

them commitment that this is the API and we’re going to support it and it won’t change

overnight.” – George Yianni, Hue System Architect


PayPal API: Payments API

• Launched X.commerce in 2011 for eBay integration

• Demand for features and simplicity from developers

• Newly launched REST APIs

• Organized a developer lounge and competition

“PayPal is making it easier for developers to accept payments from more than 123 million

active accounts across 190 markets and in 25 currencies around the world, and we’d love

to hear from you” - Company blog post @ http://blog.ebay.com


Singapore Expose Transportation Data through Web APIs and has many apps developed free by developers

Article talking about program - http://dailycrowdsource.com/20-resources/projects/573-singapore-moves-towards-a-collaborative-government

Transportation APIs example


•Terminologies, Roles & Relationships

•Fundamental concepts

• REST

• XML

• JSON

15


Terminologies: Web APIs, Mashups & Apps

Web APIA defined set of HTTP request

messages along with a definition of the structure of response

messages, typically expressed in JSON or XML

MashupA web page or application, that

uses Web APIs to combine data, presentation or functionality from

two or more sources to create new services.

Web AppAn application accessed by users

over the Internet or an intranet. The

term may also mean a software

application coded in a browser-

supported programming language (such as JavaScript and markup

language like HTML)

Mobile AppAn application designed to run on

smart phones, tablets and other mobile devices. Usually available

through application distribution

platforms, operated by the owner of

the mobile OS. e.g. Apple App Store,

Google Play, Windows Phone Store


Roles and Relationships

App Developer Business User IT Person

• Develops cool new applications against new public or private APIs

• Understands one or more web programming languages

• Spends his free time developing Apps too

• Wants to reach new markets through new channels

• Understands the business and value of assets being exposed

• Needs to experiment with different programs and campaigns to drive adoption

• Product Manages the initiative

• Exposing public APIs might be new to the IT Person

• Worried about security and scalability of infrastructure

• Short on time to do new projects


REST

22

• Architectural style; Popular choice for building web applications

• Verb = HTTP Action (GET, POST, PUT, DELETE)

• Noun = the URI of the Service (the document)

• Adjective = MIME type of the resulting document


XML

• There are more XML APIs registered on programmableweb than JSON

• But JSON as a choice and JSON only APIs are increasing quickly

• XML continues to be leading choice of format for APIs

• But payloads are kept simple

• Developers rely on examples rather than XML schemas

Example: popular telephony service from Twilio

<TwilioResponse>

<SMSMessage>

<Sid>SM1f0e8ae6ade43cb3c0ce4525424e404f</Sid>

<DateCreated>Fri, 13 Aug 2010 01:16:24 +0000</DateCreated>

<From>+15104564545</From>

<Body>A Test Message</Body>

<Uri>

/2010-04-

01/Accounts/AC228b97a5fe4138be081eaff3c44180f3/SMS/Messages/SM1f0e8ae6ade

43cb3c0ce4525424e404f

</Uri>

</SMSMessage>

</TwilioResponse>


JSON (Java Script Object Notation)

• Lightweight data-interchange format;

• Based on a subset of the JavaScript Programming Language

• Easy for humans to read and write.

• Easy for machines to parse and generate

• JavaScript has and is increasing in popularity for browser and beyond browser client applications

Twilio example (cut down but you get the idea):

{"sid": "SM1f0e8ae6ade43cb3c0ce4525424e404f“,

"date_created": "Fri, 13 Aug 2010 01:16:24 +0000",

"to": "+15305431221",

"from": "+15104564545",

"body": "A Test Message",

"uri": "\/2010-04-

01\/Accounts\/AC228ba7a5fe4238be081ea6f3c44186f3\/SMS\/Messages\/SM1f0e8ae6ad

e43cb3c0ce4525424e404f.json"

}


•API Styles

•Web API Use Cases

• Internal

• External

21


Proxies & Assemblies – Types of web APIs

Order Serviceorg/proxy1_order

org/proxy2_customerCustomer Service

Invoke Service A

HTTP/JSON

Invoke Service B

HTTP/JSON

HTTP/JSON

HTTP/JSON

Client

App

Client LayerAPI Management Layer On Premise/Cloud Resource

Eg. order/get/1234

Eg. customer/1099

Proxy Style

Assembly Style


Typical Architecture – SaaS-based API solution

DMZ

Intranet

Internet,

Cloud

Consumers


Typical Architecture – On-premise API solution

Internet,

Cloud

DMZ

Security Gateway

Rich Internet Applications

Dojo.baseDojo.dojox/

Dojox.mobile

Dojo.dataNavigation

Controllers

Templating

(django)

Other UI Tech

Authentication

AuthorizationOptimizationEcryption/Decryption

Routing/

Transformation

Enterprise Connectivity & Integration

On-premise APIs

AssembliesProxies

External App

Developers

IT Operations

Business User

Enterprise Information Systems

Enterprise

DataBaseCore Application

Backend

Enterprise ESB

Protocol

TransformationAdapters REST Services SOAP Services

HTP/XML HTTP/SOAP

HTTP/JSON

Other

EIS

HTTP/JSON/XML

Mobile Applications

Dojo

XQuery

Internal

Mobile

Apps

(Internal)

RIA

Internal App

Developers

Intranet


•API Security

•Caching

25


Security mechanisms for Web APIs

OAuth•Enables users to allow web

applications to access other web applications on the user’s behalf

Basic Auth•Passes Username and password with the

request

•Defined by the HTTP specification•Uses HTTP Header “Authorization”

•Uses encoding, no encryption

API Keys•Not based on any standard

•Service Provider decides implementation•Keys act like signatures


Security Mechanisms - OAuth

“The OAuth 2.0 authorization framework enables a third-party application to

obtain limited access to an HTTP service, either on behalf of a resource

owner by orchestrating an approval interaction between the resource owner

and the HTTP service, or by allowing the third-party application to obtain

access on its own behalf”

FourSquare

Twitter

Steve, logged on Foursquare, wants to update his holiday location and also post the same on his Twitter page

Twitter provides an access token for Foursquare allowing access to Steve’s twitter page

Forsquare uses access token provided by twitter to make a post on twitter on Steve’s behalf

Access token (n

o user id/password) re

quired


Security mechanisms: API Keys

•API Key‒ Code passed by web applications calling an API (UUID or unique string)

‒ Establishes identity of the calling program, its developer, or its user to the

Web site

‒ Used to track and control how the API is being used

� Measure, monitor

� Prevent abuse

•Access Control‒ API Keys and Secrets provide Authentication mechanism – e.g. EveryTrail

API

‒ Implementation is decided by API provider


Implement Caching

HTTP headers can contain caching directivesHTTP/1.1 200 OK

Date: Fri, 30 Oct 1998 13:19:41 GMT

Server: Apache/1.3.3 (Unix) Cache-Control: max-age=3600, must-revalidate

Expires: Fri, 30 Oct 1998 14:19:41 GMT

Last-Modified: Mon, 29 Jun 1998 02:28:12 GMT

ETag: "3e86-410-3596fbbc"Content-Length: 1040

Content-Type: text/html

Caches improve network efficiency, improves scalability, and improves user-perceived performance of your API


Expanding to APIs – IBM Services has the Expertise to Ensure Your Success

3

0

• What should my API Strategy be?

• How are APIs being used in my industry?• What is needed to expose and manage APIs?

• What security do I need?

• Who are my target developers?

• How do I delivery and measure business value?

• How do I get IBM API Management setup quickly?

• Help me design my APIs?• How do I expose my backends as APIs?

• Help me secure and scale my APIs?

• How do I deliver reports to my management?• How do I integrate with existing infrastructure?

API Centric Architecture Assessment Roadmap

IBM Software Services for API Management

For more information contact us at [email protected]


• Emerging technology resources including proven, prescribed, and repeatable assets & offerings to accelerate Mobile, Cloud, and Smarter Process adoption.

• Access to worldwide skills, capabilities, and education that only IBM Software Services for WebSphere can bring to your project.

• Practitioners’ insight on project trends, best practices and emerging technologies through personal videos, blogs, articles & more.

• Discover defined and proven offerings to get your project started quickly.

ibm.com/websphere/serviceszone/ibm.com/websphere/serviceszone/

Visit us in the Solution Center:

• Services, Support and Education Zone

• Smarter Process Zone

IBM Software Services Zone for WebSphere


We love your Feedback!

Don’t forget to submit your Impact session and speaker feedback!

•Your feedback is very important to us – we use it to improve next year’s conference

•Go to the Impact 2013 SmartSite (http://impactsmartsite/com):

‒ Use the session ID number to locate the session

‒ Click the “Take Survey” link

‒ Submit your feedback


Legal Disclaimer

• © IBM Corporation 2013. All Rights Reserved.• The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained

in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing

contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.

• References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by

you will result in any specific sales, revenue growth or other results. • If the text contains performance statistics or references to benchmarks, insert the following language; otherwise delete:

Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.

• If the text includes any customer examples, please confirm we have prior written approval from such customer and insert the following language; otherwise delete:All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer.

• Please review text for proper trademark attribution of IBM products. At first use, each product name must be the full name and include appropriate trademark symbols (e.g., IBM Lotus® Sametime® Unyte™). Subsequent references can drop “IBM” but should include the proper branding (e.g., Lotus Sametime Gateway, or WebSphere Application Server).

Please refer to http://www.ibm.com/legal/copytrade.shtml for guidance on which trademarks require the ® or ™ symbol. Do not use abbreviations for IBM product names in yourpresentation. All product names must be used as adjectives rather than nouns. Please list all of the trademarks that you use in your presentation as follows; delete any not included in your presentation. IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, Sametime, WebSphere, UC2, PartnerWorld and Lotusphere are trademarks of International Business Machines Corporation in the United States, other countries, or both. Unyte is a trademark of WebDialogs, Inc., in the United States, other countries, or both.

• If you reference Adobe® in the text, please mark the first use and include the following; otherwise delete:

Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries.• If you reference Java™ in the text, please mark the first use and include the following; otherwise delete:

Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.• If you reference Microsoft® and/or Windows® in the text, please mark the first use and include the following, as applicable; otherwise delete:

Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.• If you reference Intel® and/or any of the following Intel products in the text, please mark the first use and include those that you use as follows; otherwise delete:

Intel, Intel Centrino, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States andother countries.

• If you reference UNIX® in the text, please mark the first use and include the following; otherwise delete:

UNIX is a registered trademark of The Open Group in the United States and other countries.• If you reference Linux® in your presentation, please mark the first use and include the following; otherwise delete:

Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others.

• If the text/graphics include screenshots, no actual IBM employee names may be used (even your own), if your screenshots include fictitious company names (e.g., Renovations, Zeta

Bank, Acme) please update and insert the following; otherwise delete: All references to [insert fictitious company name] refer to a fictitious company and are used for illustration purposes only.


Backup Slides

34

Introduction to web ap is

Technology

Transcript of Introduction to web ap is