A presentation given by Bill Doerrfeld, Editor in Chief of Nordic APIs, at our 2024 Austin API Summit, March 12-13. Session Description: As it turns out, making a hit API is a lot like making a hit music album. You have to find a niche, you need good naming, and you need quality content. Also, on the production side, design, style, experience, and collaboration all matter a lot. At the end of the day, both are products, requiring the right management tools, marketing know-how, and infrastructure to scale. In this SXSW-inspired opening keynote, I'll look into the parallels between the two endeavors, providing a fun and informative look into specific things API providers should be considering on their journey toward becoming API platform rockstars.

1. Going platinum:
How to make a hit API
Bill Doerrfeld
Nordic APIs Austin API Summit. March 2024
SXSW edition

2. Making a hit API product is
like making a hit album
Both require:
SPECIALIZATION
EXPERIENCE
NAMING
QUALITY
STYLE
CONSISTENCY
CATALOGING SECURITY
PRODUCTIZATION

3. You have to find a niche.
"Micro" is in.
SPECIALIZATION

4. Genres
How it used to be
Pop
Rock
Alternative
Hip-hop/Rap
R&B/Soul
Country
Electronic
Classical
Jazz
Blues
Monolithic
services
Traditional web apps
ERP systems
CMS service
Point-of-sale systems
Accounting software
Human resource systems
Inventory management systems
SPECIALIZATION

5. How it is now
Micro-genres
Vaporwave
Chillwave
Witch house
Seapunk
Bedroom pop
Glitch hop
Future funk
Lo-fi
Synthwave
Electroswing
Cloud rap
Fidget house
Dark ambient
Post-rock
Math rock
Shoegaze
Drone
Neo-folk
Post-metal
Noise rock
Experimental
electronic
Industrial metal
Progressive metal Acid jazz
Psych pop Ambient
techno
Breakcore
Microservices
User
Authentication
User Profile
Product
Catalog
Inventory
Management
Order
Management
Payments
Shipping
Recommendations
Search
Content Management
Messaging
Analytics
Logging and Monitoring
Image Processing
Video Processing
Email
SMS
Notifications
Geolocation
Weather
Social Media Rate Limiting
File Storage Notification Queue
API gateway Backup and Recovery
Caching
SPECIALIZATION

6. How small is too small?
Can the amount of API features be related to the success of a business?
Source: The Impact of a Large Number of API Features, Bruno Pedro
● Ratio of operations per
feature below 10.
● Perceived complexity
impacts support
requirements.
● Design impacts
discoverability, and
developer experience.
Diagrams represent HTTP method → API features → capabilities they provide
SPECIALIZATION

7. The
experience
matters.
EXPERIENCE
Developer consumers are like the
"listeners."

8. The total number of APIs worldwide (public and private) is
approaching 200 million, according to A 2021 F5 report.
Why developer experience (DX) matters
# of APIs
Reduce cost
Can improving developer experience actually reduce costs? The
answer is a resounding "yes."
Marketing DX is a natural marketing tool. Docs / dev portal are the window to
your product.
EXPERIENCE

9. ✓ Tell me what this does
✓ Public documentation
✓ Show me the code already
✓ Have an auth guide
✓ Make sure OpenAPI = production
✓ Have a playground in the docs
✓ Better yet, get it in my IDE
✓ Consider AI for ultimate DX
Make a great API DX
Ways to
Souce: How to Make A Rickdiculous Developer Experience For Your API, Doerrfeld, 2023.
EXPERIENCE

10. Instant playback
Let them "listen" before they buy
EXPERIENCE

11. You need a
good name.
"Random Access Memories" by Daft
Punk
NAMING

12. Part of the REST standard is to use
pluralized resources with the correct
HTTP verbs.
- Steve McDougall, "The Ten REST Commandments,"
Nordic APIs. 2023
API naming
“RESTful URIs should refer to a resource
that is a thing (noun) instead of referring
to an action (verb)"
- RESTfulAPI.net
● Resources as nouns:
/albums/{id} instead of
/getAlbum
● Pluralized resources: /albums
instead of /album
● Forward slashes for hierarchy
● Punctuation for lists
● Lowercase letters and dashes
● And more…
Source: 10+ Best Practices for Naming API
Endpoints, Nordic APIs. Last updated 2023.
NAMING

13. It’s gotta be
quality.
In the late 70s, Steely Dan
pioneered contemporary recording
techniques.
QUALITY

14. Steely Dan level APIs are:
● Intentional: Functions as expected,
design-first
● Well-performed: High performance
quality
● Produced well: Meets modern
standards
● Precise: No errors, vulnerability-free
So, how do we make sure our APIs are a good quality production?
QUALITY

15. API quality benchmarks: FinTech
Source: APIContext
One method: comparing against industry benchmarks
QUALITY

16. API quality benchmarks: AI
Source: APIContext
QUALITY

17. API quality screening
Test APIs against best practices. Design-first dev for the win!
Results from scanning OpenAI's YAML OpenAPI definition:
(https://raw.githubusercontent.com/openai/openai-
openapi/master/openapi.yaml)
RateMyOpenAPI
API Insights
- Inconsistent naming
- Not verbose error responses
- Lack of performance headers
- Content type security policies
App.Escape.Tech
- Missing operation descriptions
- Missing examples
- Undefined errors
- Potential for information
disclosure
- Duplicated objects
QUALITY

18. Style
matters.
STYLE

19. API architectural style trends
Takeaway: REST-first, but consider GraphQL and async styles for usability
Source: Postman State of the API Report, 2023
STYLE

20. Who is keeping an API style
guide?
STYLE
Resource alert! API style guides from Atlassian, Cisco, Google, Microsoft, Heroku, and
others: https://apistylebook.com/

21. Consistency matters.
"Find your sound." Consistency is typically good in APIs too.
CONSISTENCY

22. "Similar Hallways"
Repurposed from Kristen Womack's talk 'Level Up Your Developer Experience: Creating Awesome Support
Resources' at the 2023 Platform Summit in Stockholm.
CONSISTENCY

23. Not everyone can be the Beatles
CONSISTENCY

24. Both are
cataloged
A catalog number is a specific alphanumeric
number a record label assigns for a release.
Ex. Abbey Road" by The Beatles (Apple Records)
- Catalog number: SO-383
CATALOGING

25. Both have
documentation
(but not always!)
CATALOGING

26. - 2023 State of the API Report, Postman
52% of respondents said lack of documentation was
the biggest problem
API documentation #1 issue
Only 10% of organizations fully document their APIs
- 2023 report from Enterprise Management
Associates (EMA)
CATALOGING

27. - Rapid’s 2022 State of APIs report
Companies with 10,000 or more employees tend to
have over 250 internal APIs
API sprawl issues
● What is API sprawl?
○ Sheer increase in APIs
○ Unmitigated technology adoption
○ Lack of governance
○ Lack of standards
CATALOGING

28. New Risks on OWASP Top
Ten for APIs (2023)
API9:2023 - Improper Inventory Management
API10:2023 - Unsafe Consumption of APIs
API6:2023 - Unrestricted Access to Sensitive
Business Flows
CATALOGING

29. Both are
products.
"Thriller," one of the most
commercially successful albums of
all time, has sold over 66 million
copies worldwide.
PRODUCTIZATION

30. - Jason Harmon
CTO at Stoplight and API Intersection podcast host.
Formerly at Expedia Group and Paypal.
"It's just another product…The future of APIs is all
about product management."
The API is a product.
PRODUCTIZATION

31. - MuleSoft and Deloitte Digital 2023
Connectivity Benchmark Report.
APIs and API-related
implementations generated 41%
of revenue for organizations in
the US
API monetization
● Direct monetization is just one
model!
On productifying APIs…
Source: ProgrammableWeb 2020 Guide to API Business Models, Mulesoft. Pg. 6
PRODUCTIZATION

32. Some are
just a one
hit wonder
'Take On Me' by A-ha
PRODUCTIZATION

33. The Anatomy of an API in 2023: A Comprehensive Overview: Treblle analyzed 1 billion
requests from 9,000 different APIs.
https://blog.treblle.com/the-anatomy-of-an-api-in-2023-a-comprehensive-overview/
● 68% of API endpoints use
GET HTTP method
○ (Might not be using HTTP
methods correctly…)
● 20% of API endpoints
remain unused for over
30 days.
What's your one hit wonder?
PRODUCTIZATION

34. You gotta
secure
your IP.
In 2011 Skrillex lost an
entire unreleased album
after his laptops and
hard drives were stolen.
SECURITY

35. "60% of organizations said they
experienced at least one API-related
breach in the past two years."
-Traceable's Global State of API Security 2023
API attacks on the rise
SECURITY

36. 5 Examples of Recent
Terrible API Breaches
Trello
- When? Early 2024
- What? Endpoint
overshared data /
business logic abuse
- Takeaway: Avoid
data overexposure,
apply rate limiting
Hugging Face
- When? Late 2023
- What? 1,500 tokens
left exposed
- Takeaway: Protect
keys/secrets, don't
store publicly
T-Mobile
- When? Early 2023
- What? 37 million
accounts
compromised w/ auth
issue.
- Takeaway: Have
proper authn/authz
checks
Kronos
- When? Late 2023
- What? $25 million in
ETH stolen
- Takeaway: Avoid
leaking unauthorized
API keys
Optus
- When? Mid-2022
- What? 11 million
customer records
leaked from open
endpoint.
- Takeaway: Take a
zero-trust approach
w/ authn and authz.
Read: Takeaways From 5 Terrible API Breaches, Doerrfeld, 2023.
SECURITY

37. Be a producer.
Go produce and be prolific API rockstars

38. Est. 2013
Weekly thought pieces on API design, strategy
Nordic APIs blog

39. Thank you!
Going platinum:
How to make a hit API
Bill Doerrfeld
Bill Doerrfeld. Nordic APIs Austin API Summit. March 2024