Kin Lane

API Evangelist



The API Lifecycle Workshop



November 2015









1940s




1950s




1960s




1970s



1980s


1990s





2000s



2010s


Henry Beck

Beck Map

1898


1902


Design
Design
>> Best Practices

  • Use the Web
  • Simplicity
  • Consistency
  • Easy to Read
  • Easy to Learn
  • Hard to Misuse
  • Audience Focused
  • Experience Over Resource
  • Use Your Own APIs
Design
>> Core Design

  • SSL
  • Host
  • Resource
  • Action
  • Verbs
  • Parameters
  • Headers
  • Body
  • Versioning
  • Pagination
  • Filtering
  • Time Selection
  • Sorting
  • Field Selection
  • Granularity
  • Relationship
Design
>> Response

  • Status Codes
  • Error Handling
  • Rate Limits
  • Caching
  • eTags
  • Request-Ids
  • UTF-8
  • CORS
  • JSONP
Design
>> Media Types

  • application/json
  • application/xml
  • application/csv
  • text/html
  • application/atom+xml
Design
>> Open Standards

  • JSON Schema
  • iCalendar
  • vCard
  • KML
  • geoRSS
  • m3u
  • UUID
  • ISO 8601 (Date / Time)
  • ISO 4217 (Currency)
  • ISO 3166 (Country)
  • RDFa
  • Schema.org
Design
>> Design Process

  • Definitions
  • Editor
  • Forkable
  • Sharing
  • Collaboration
  • Annotation
  • Translation
  • Highlighting
Design
>> Organization

  • Guide
  • Notebook
  • Collections
  • Dictionary
  • Contact
Design
>> Internationalization

  • Accept-Language
Design
>> Other

  • Parser
  • Interactive Documentation / Console
  • Validator
  • Github Sync
  • Command Line
  • Translator
Design
>> Companies

Hypermedia
Hypermedia
>> Hypermedia Concepts

  • Target Identification
  • Link Relation Type
  • Human-Readable Label(s)
  • Target Resource Hints
  • Traversal Hints
  • Topology
  • Directionality
  • Resource Role
Hypermedia
>> Hypermedia Formats

  • Collection+JSON
  • Extensible Markup Language (XML)
  • Home Documents
  • Hydra
  • Hypertext Application Language (HAL)
  • JSON API
  • Mason
  • Noun As Resource With HyperLinks (NARWHL)
  • Siren
  • Uniform Basis for Exchanging Representations (UBER)
  • XForms
  • XML Inclusions (XInclude)
  • XML Linking Language (XLink)
  • xml:id
Definition
Definition
>> API Definition

  • Translator
  • Specification
  • Generator
  • Parser
  • Validator
  • Schema
  • Converter
  • Database
  • Command-Line
  • Powershell
  • Aggregator
  • Editors
  • IDE Plugin
  • Forms
DNS
DNS
>> Core DNS

  • Domain
  • Record
  • Zone
  • Registration
  • Cache
  • IP Address
  • Geo DNS
DNS
>> Stability

  • Monitors
  • Threat Analysis
  • Whitelist / Blacklist
  • Denial of Service (DDOS)
  • DNS Failover
  • Latency Based Routing
  • Verification
DNS
>> Utility

  • Statistics
  • Batch Requests
  • Import
  • Export
DNS
>> Companies

Containers
Containers
>> Core Concepts

  • Containers
  • Images
  • Nodes
  • Volumes
  • Clusters
  • Networks
  • Hub
  • Registry
Containers
>> API

  • Containers
  • Image
  • Volumes
  • Networks
Containers
>> Companies

Virtualization
Virtualization
>> Core Virtualization

  • Mock
  • Sandbox
  • Simulator
  • Record
  • Playback
  • Verification
  • Port Forwarding
  • SSL
Virtualization
>> Data Virtualization

  • Templates
  • Dummy Data
  • Excel Data
Virtualization
>> Import / Export

  • Import Swagger
  • Import RAML
  • Import Blueprint
  • Import WADL
  • Import Postman
Virtualization
>> Other Elements

  • Reporting
  • Analytics
  • Teams
Virtualization
>> Companies

Deployment
Deployment
>> Deployment

  • Database to API
  • Framework
  • Gateway
  • Proxy
  • Connector
  • Hosting
  • JSON to API
  • Scraping
  • Container
  • Github
  • CSV to API
Deployment
>> Companies

Management
Management
>> Onboarding

  • Portal
  • Getting Started
  • Self-Service Registration
  • Best Practices
  • FAQ
  • Service Accord
  • Sign Up Email
  • Google Authentication
  • Github Authentication
  • Facebook Authentication
  • Flexible Messaging Area
Management
>> Documentation

  • Documentation
  • List of Endpoints
  • Interactive Documentation
  • API Explorer
  • Error Response Codes
Management
>> Authentication

  • Authentication Overview
  • Key Access
  • Basic Auth
  • oAuth
  • OAuth Scopes
  • Authentication Tester
Management
>> Code Management

  • Github
  • Application Gallery
  • Open Source
  • Starter Projects
  • Community Supported Libraries
  • Code Builder
  • Code
  • SDKs.io
Management
>> Self-Service Support

  • Forum
  • Forum RSS
  • Stack Overflow
  • Knowledgebase
Management
>> Direct Support

  • Email
  • Contact Form
  • Phone
  • Ticket System
  • Office Hours
  • Calendar
  • Paid Support Plans
Management
>> Communications

  • Slack
  • Blog
  • Blog RSS Feed
  • Twitter
  • Email
  • LinkedIn
  • Facebook
  • Google+
  • Email Newsletter
  • Instagram
  • Vimeo
  • Youtube
  • Chat
Management
>> Updates

  • Status Dashboard
  • Roadmap
  • Change Log
  • Status RSS
Management
>> Resources

  • Case Studies
  • How-to Guides
  • White Papers
  • Webinars
  • Events
  • Slideshare
  • Codecademy
  • Tour
  • Glossary
  • Videos
Management
>> Research & Development

  • Labs
  • Ideas
  • Opportunities
Management
>> Legal

  • Terms of Service
  • Privacy Policy
  • Branding
  • Code License
  • Data License
  • Service Level Agreement
  • Deprecation Policy
  • Monetization Guidelines
  • Compliance
  • Software License
  • Trademarks
Management
>> Environment

  • Sandbox
  • Production
  • Simulator
  • Templates
Management
>> Developer Account

  • Developer Dashboard
  • Account Settings
  • Reset Password
  • Application Manager
  • Usage Logs & Analytics
  • Billing History
  • Message Center
  • Github Authentication
  • Delete Account
  • Service Tier Management
Management
>> Reciprocity

  • Terms of Service
  • Data Portability
  • Automation
  • oAuth
  • Integrations
Management
>> Corporate

  • Mission
  • Team Showcase
Management
>> Internationalization

  • Documentation Language
  • Internationalization
Management
>> Management API

  • User Management
  • Account Management
  • Application Management
  • Service Management
Management
>> Companies

Monitoring
Monitoring
>> Core Monitoring

  • Request Editor
  • Request Retry
  • Request Sharing
  • Request Playback
  • Request Scheduling
  • Request Compare
  • Request Scripting
  • Request Automation
  • Request Commenting
  • Service Availability
  • Latency Measurement
  • Response Header Validation
  • Response Body Validation
Monitoring
>> Management Monitoring

  • Documentation Monitoring
  • Pricing Monitoring
  • Terms of Service Monitoring
Monitoring
>> Targeted Monitoring

  • Provider Based Monitoring
  • Region Based Monitoring
  • Public Monitoring
Monitoring
>> Authentication

  • Basic Auth
  • OAuth
  • API Keys
Monitoring
>> Utility

  • Collections
  • Virtualize
  • Localhost
  • Teams
  • API
Monitoring
>> Notification

  • SMS
  • Email
  • Phone
  • Webhook
Monitoring
>> Import

  • Postman
  • Swagger
  • RAML
  • HAR
Monitoring
>> Reporting

  • Dashboard
  • Analytics
  • Embeddable
Monitoring
>> 3rd Party

  • Slack
  • PagerDuty
  • VictorOps
  • HipChat
  • Flowdock
  • OpsGenie
Monitoring
>> Companies

Testing
Testing
>> Core Testing

  • Load Testing
  • Response Header Inspector
  • Response Body Inspector
  • Request Retry
  • Request Sharing
  • Request Playback
  • Request Scheduling
  • Request Compare
  • Request Scripting
  • Request Automation
  • Request Commenting
  • Simulator
  • Templates
  • Data Scenarios
Testing
>> Targeted Testing

  • Region Based Testing
  • Provider Based Testing
Testing
>> Authentication

  • Basic-Auth
  • API Keys
  • OAuth
Testing
>> Utility

  • Collections
  • Command Line Interface
  • Virtualization
  • Teams
  • API
Testing
>> Import

  • Postman
  • Swagger
  • RAML
  • HAR
  • JUnit XML
Testing
>> 3rd Party

  • JMeter
  • Selenium
  • Jenkins
  • TeamCity
  • Bamboo
  • Travis
Testing
>> Companies

Performance
Performance
>> Core Performance

  • CPU Usage
  • Memory Usage
  • Disk I/O
  • Network I/O
  • Request Editor
  • Request Retry
  • Request Sharing
  • Request Playback
  • Request Scheduling
  • Request Compare
  • Request Scripting
  • Request Automation
  • Request Commenting
  • Latency Testing
  • Simulator
Performance
>> Targeted Performance

  • Region Based Testing
  • Provider Based Testing
Performance
>> Authentication

  • Basic-Auth
  • API Keys
  • OAuth
Performance
>> Utility

  • Collections
  • Command Line Interface
  • Virtualization
  • Teams
  • API
Performance
>> Import

  • Postman
  • Swagger
  • RAML
  • HAR
  • JUnit XML
Performance
>> 3rd Party

  • JMeter
Performance
>> Companies

Security
Security
>> Auth Formats

  • Basic Auth
  • OAuth
  • API Keys
  • JSON Web Token
Security
>> Auth Considerations

  • Session Management
  • Session State
  • Anti-Farming
  • Protect HTTP Methods
  • Methods Whitelist
  • Cross-Site Request Forgery
  • Insecure Direct Object References
Security
>> Input Validation

  • Assist the User
  • Secure Parsing
  • Strong Typing
  • Validate Content-Types
  • Validate Response Types
  • JSON Validation
  • XML Validation
  • Framework-Provided Validation
Security
>> Output Validation

  • Send Security Headers
  • JSON Encoding
  • XML Encoding
  • Link Integrity
Security
>> Cryptography

  • Data in Transit
Security
>> Abuse of Functionality

  • Buffer Overflow Attack
  • Buffer Overflow via Environment Variables
  • Overflow Binary Resource File
Security
>> Data Structure Attacks

  • Cross-Site Request Forgery (CSRF)
  • Logic/time Bomb
  • Trojan Horse
  • Account Lockout Attack
  • Cross-Site Request Forgery (CSRF)
  • Execution After Redirect (EAR)
  • Session Fixation
  • Session Hijacking Attack
  • Session Prediction
Security
>> Embedded Malicious Code

  • Parameter Delimiter
  • Resource Injection
  • Server-Side Includes (SSI) Injection
  • SQL Injection
  • Web Parameter Tampering
  • XPATH Injection
  • Code Injection
  • Command Injection
  • Comment Injection Attack
  • Content Security Policy
  • Content Spoofing
  • CORS RequestPreflighScrutiny
  • Cross-site Scripting (XSS)
  • Custom Special Character Injection
  • Format String Attack
  • Full Path Disclosure
Security
>> Injection

  • Brute Force Attack
  • Cash Overflow
  • Cryptanalysis
  • Denial of Service
Security
>> Path Traversal Attack

  • HTTP Request Smuggling
  • HTTP Response Splitting
  • Traffic Flood
Security
>> Probabilistic Technique

  • Asymmetric Resource Consumption
  • Cash Overflow
  • Denial of Service
Security
>> Protocol Manipulation

  • Comment Injection Attack
  • Custom Special Character Injection
  • Double Encoding
  • Forced Browsing
  • Path Traversal
  • Relative Path Traversal
  • Repudiation Attack
  • Setting Manipulation
  • Unicode Encoding
Security
>> Resource Depletion

  • Cash Overflow
  • Cross-Site Request Forgery (CSRF)
  • Man-in-the-Middle Attack
Security
>> Resource Manipulation

  • Certification
  • Security Visualization
  • Compliance & Auditing Reporting
  • Bug Bounty Program
  • Endpoint Tagging
  • Intrusion Correlation
  • Risk Scoring
  • Publish Your Page
Security
>> Companies

Terms of Service
Terms of Service
>> Core Elements

  • Accuracy of Information
  • Security
  • Opting Out
  • Sites Covered
  • Childrens Privacy
  • Links to Non-Operators Web Sites
  • Non-Personal Information
  • Aggregate Information
  • Log Files
  • Cookies
  • Web Beacons
  • Personal Information
  • Members-Only Web Sites
  • How We Use Your Information
  • Information Sharing
  • Access To Information
Terms of Service
>> Companies

Privacy
Privacy
>> Privacy

  • License
  • Intellectual Property Rights
  • Permitted and Prohibited Uses
  • Use of Personally Identifiable Information
  • User Submissions
  • Technical Requirements and Limitations
  • User Discussion Lists and Forums
  • Liability
  • Termination
  • Changes
  • Links to Other Materials
  • Warranty Disclaimer
  • Miscellaneous
Licensing
Licensing
>> Server Code

  • Apache
  • GPL
  • MIT
Licensing
>> Data

  • Public Domain Dedication and License (PDDL)
  • Attribution License (ODC-By)
  • Open Database License (ODC-ODbL)
Licensing
>> Content

  • Attribution (CC BY)
  • Attribution-ShareAlike (CC BY-SA)
  • Public Domain (CC0)
Licensing
>> API

  • Attribution (CC BY)
  • Attribution-ShareAlike (CC BY-SA)
  • Public Domain (CC0)
Licensing
>> Client Code

  • Apache
  • GPL
  • MIT
Branding
Branding
>> Branding

  • Use of Brand Name
  • Use of Brand Logo
  • Use of Product Titles
  • Content Display Requirements
  • Data Display Requirements
  • Image Assets
  • Icon Assets
  • Other Assets
  • Linking Requirements
  • Naming Your Application
  • Branding Examples
  • Full Style Guide
  • Give Credit
  • Bring Value
Discovery
Discovery
>> Specification

  • APIs.json
Discovery
>> Discovery

  • API Directory
  • API Hub
  • IDE Extension
  • API Explorer
  • API Questions
Discovery
>> Directory

  • ProgrammableWeb
  • Mashape
Discovery
>> Business

  • Crunchbase
  • AngelList
Discovery
>> Search

  • APIs.io
Discovery
>> Companies

Client
Client
>> Request Editor

  • Request URL Editor
  • Request Headers Editor
  • Cookies Manager
  • Request Method Manager
  • Request Body Editor
Client
>> Authentication

  • Basic Auth
  • Digest Auth
  • OAuth 1.0
  • OAuth 2.0
Client
>> Environment

  • Separate Environments
  • Saved Variables
Client
>> Response Viewer

  • Save Requests
  • XML Viewer
  • JSON Viewer
  • RAW Viewer
  • Search
Client
>> Organization

  • Collections
  • Templates
  • Clone Requests
  • Record
  • Replay
  • Keyboard Shortcuts
  • History
  • Teams
Client
>> Import / Export

  • Import Swagger
  • Import API Blueprint
  • Import RAML
  • Import Postman
  • Export Postman
  • Export Swagger
  • Export API Blueprint
  • Export RAML
Client
>> Tooling

  • Command Line
  • Codegen
  • Proxy
  • Extensions
Client
>> Companies

IDE
IDE
>> Core Elements

  • Workspace
  • Project
  • Worker
  • Container
  • Resources
  • Analytics
  • Environment
  • Github
  • Editor(s)
  • Plugins
  • Autocomplete
  • Themes
  • Customize
IDE
>> Companies

SDK
SDK
>> Generate

  • C#
  • Objective-C
  • Java for Android
  • Java for JVM
  • PHP
  • Python
  • AngularJS
  • Ruby
  • Node.js
  • Go
  • Scala
  • ActionScript
  • Swift
SDK
>> Import / Export

  • Import Swagger
  • Import RAML
  • Import Blueprint
  • Import WADL
  • Import Postman
SDK
>> Discovery

  • List SDK
  • Search SDK
  • Browse SDK
  • Rating
SDK
>> Mobile Management

  • Mobile Overview
  • iOS SDK
  • Android SDK
  • HTML5
  • Appery.io
  • Windows Mobile SDK
SDK
>> Code - Platform Development Kits (PDK)

  • Wordpress
  • Heroku
  • Drupal
  • SalesForce
  • Joomla
  • Google App Engine
  • Chrome Extension
  • Firefox Add-On
SDK
>> Single Page Applications (SPA)

  • Angular.js
  • React.js
SDK
>> Companies

Embeddable
Embeddable
>> Embed Formats

  • Open Graph Protocol
  • oEmbed
Embeddable
>> Embeddable Tools

  • Bookmarklet
  • Widgets
  • Badges
  • Buttons
Embeddable
>> Embed Engines

  • Widget Builder
  • JavaScript API
Embeddable
>> Companies

Webhooks
Webhooks
>> Core

  • URL
  • Payload
  • Event
  • Content Type
Webhooks
>> Inbound

  • Webhooks Targets
Webhooks
>> Outbound

  • Multiple Destinations
  • CRON Jobs
Webhooks
>> Utilities

  • Transformations
  • Scripting
  • Retry
Webhooks
>> Operations

  • Analytics
  • Emails
  • Logging
  • Alerts
  • Simulator
Webhooks
>> 3rd Party Integration

  • Github
Webhooks
>> Companies

Monetization
Monetization
>> Acquisition

  • Discover
  • Negotiate
  • Licensing
  • Purchase
Monetization
>> Development

  • Investment
  • Grant
  • Normalization
  • Design
  • Database
  • Server
  • Coding
  • DNS
Monetization
>> Operation

  • Definition
  • Compute
  • Storage
  • Bandwidth
  • Management
  • Code
  • Evangelism
  • Monitoring
  • Security
  • Virtualization
Monetization
>> Access Levels

  • Free
  • Free Trial
  • <