Apply Airtight Governance Across a Well-Known API Lifecycle
An API platform puts everything across your operations within reach. It incentivizes you to define all your resources in a modular and machine-readable way that can consistently be documented, tested, and governed.
This approach allows you to define and test the instances of your APIs and also define and test the design, documentation, and testing processes. The feedback loops that exist amongst team members, partners, and third-party consumers can also be leveraged to provide feedback on these as well. This gives teams a voice and ownership of the API governance process.
Bringing operations to governance
You can’t govern, test, secure, or perform many other essential aspects of API operations if you can’t find your APIs. API platforms allow you to index all of your API artifacts that isolated developers are applying across your operations. An API platform makes them available via search, and they are cataloged via private, partner, and public networks.
You also have visibility across your distributed teams. Workspaces, repositories, and gateways all have existing outputs that can be integrated with the platform. This means governance includes your microservices and APIs as part of a well-known API lifecycle, instead of your centralized governance struggling to discover teams, APIs, and where they are getting their work done. In an API-first world, we know where teams are doing the work that occurs around APIs—and all of that is easily discoverable.
The spectrum of governance automation
For API governance to be airtight, you have to be able to automate across the entire API lifecycle, monitor that automation, and be able to report upon what is happening with API governance across APIs—in the same way that you want to understand uptime, performance, contract, and other types of testing you have going on. Effective API governance is automated at design time by baking linting into your API design tooling using rules and script-based approaches. This ensures teams are applying consistent patterns when designing new APIs. However, API governance should also be automated as part of API developers’ natural daily workflow, in their tooling, and baked into the CI/CD pipeline.
API governance “tests” can be defined in the same modular way as contract, performance, integration, and other types of testing, making for a full stack of well-defined tests that can be added across all CI/CD pipelines that are deploying or integrating with APIs. These same tests can then also be scheduled to run via monitors, reported upon, and piped into existing APM solutions for powering wider observability. Visibility into the health of each API is established, and also into the governance and automation that exists around them—all so that governance is being applied consistently, effectively, and with the coverage needed across an organization.
A ready-to-go API governance feedback loop
An API platform supports existing feedback channels through integrations with GitHub, Slack, and other tools developers use. An API platform also clearly identifies and organizes teams into logical groups or domains, providing them with a feedback loop around individual API artifacts across workspaces and driving discussion at the atomic level of each API specification. A feedback loop that is this granular can become the go-to feedback loop for API governance across an organization, helping ensure there is a pipeline of conversation coming in from the lowest levels of the API design, development, and deployment process to central API architects, leadership, and centers of excellence. Gaps in API governance will inevitably open up across operations, and adopting the existing feedback loop(s) that exist across teams to gather, learn, and listen to feedback in the area of API governance means these gaps are quickly identified and incorporated into future iterations of the API governance strategy.
An organization then has full understanding of how API governance is not just applied across its operations, but also how it is iterated, evolved, and made to actually fit the needs of both the organization and the teams doing the work on the ground.
Governance becoming enablement
API governance from the top down makes a lot of sense, but it can sometimes have a bad reputation. This is due to many years of poorly planned and executed API governance that tends to be top-down, prescriptive, and lacking a feedback loop with developers who are expected to apply governance across operations.
When API governance has a feedback loop bringing essential information centrally to better inform future iterations of API governance guidance, tooling, and training, API governance tends to look more like API enablement to those on the ground. Heavy-handed, gated, and information-broadcast approaches to API governance are rarely received well across teams; instead, approaches to API governance that are focused on enablement, automation, and feedback loops tend to find greater alignment and support across teams.
The surface area across all of your APIs will forever be evolving and changing, and the surface area across all of your API teams will also forever be changing and evolving, so it makes sense that your API governance should be leveraging the API platform, it’s artifacts, integrations, and feedback loops to ensure that API governance is always evolving to cover as much of that changing surface area as possible.
Ongoing API governance evolution
Healthy API governance is alive and ever-evolving. However, it takes time and investment to get to a point where it lives, grows, and becomes a natural, self-propagating member of your API platform ecosystem. An API platform lets you begin with your API governance in little tactical ways that help automate governance during design or enforcement as part of the pipeline for newer APIs, but it is important to be investing in platform-level strategic API governance along the way.
Don’t expect organizational-wide governance to be a reality when you are just getting started setting up your API platform and beginning to migrate teams into an API-first world. This will take time. It will take education. But if you begin planting the tactical seeds of API governance within teams and workspaces, the collaborative nature of your API platform will begin to do the work of propagating, applying, and providing feedback on what is working—and also what is not.
Realizing airtight API governance across your platform will require continued negotiation around what an agreed-upon definition of the lifecycle is across your teams, as well as a balanced investment tactically within teams and strategically within a central group of architects and other stakeholders. Regular iteration and feedback will inform what the next step in the API governance journey should be, driven by well-communicated steps forward. Organizations need to stay on their toes observing, gathering, and applying feedback, and repeating in an ongoing fashion until the coverage of governance is at the desired levels.