A presentation given by Bill Doerrfeld, Editor in Chief of Nordic APIs, at our 2024 Austin API Summit, March 12-13.
Session Description: As it turns out, making a hit API is a lot like making a hit music album. You have to find a niche, you need good naming, and you need quality content. Also, on the production side, design, style, experience, and collaboration all matter a lot. At the end of the day, both are products, requiring the right management tools, marketing know-how, and infrastructure to scale. In this SXSW-inspired opening keynote, I'll look into the parallels between the two endeavors, providing a fun and informative look into specific things API providers should be considering on their journey toward becoming API platform rockstars.
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
1. Going platinum:
How to make a hit API
Bill Doerrfeld
Nordic APIs Austin API Summit. March 2024
SXSW edition
2. Making a hit API product is
like making a hit album
Both require:
SPECIALIZATION
EXPERIENCE
NAMING
QUALITY
STYLE
CONSISTENCY
CATALOGING SECURITY
PRODUCTIZATION
3. You have to find a niche.
"Micro" is in.
SPECIALIZATION
4. Genres
How it used to be
Pop
Rock
Alternative
Hip-hop/Rap
R&B/Soul
Country
Electronic
Classical
Jazz
Blues
Monolithic
services
Traditional web apps
ERP systems
CMS service
Point-of-sale systems
Accounting software
Human resource systems
Inventory management systems
SPECIALIZATION
5. How it is now
Micro-genres
Vaporwave
Chillwave
Witch house
Seapunk
Bedroom pop
Glitch hop
Future funk
Lo-fi
Synthwave
Electroswing
Cloud rap
Fidget house
Dark ambient
Post-rock
Math rock
Shoegaze
Drone
Neo-folk
Post-metal
Noise rock
Experimental
electronic
Industrial metal
Progressive metal Acid jazz
Psych pop Ambient
techno
Breakcore
Microservices
User
Authentication
User Profile
Product
Catalog
Inventory
Management
Order
Management
Payments
Shipping
Recommendations
Search
Content Management
Messaging
Analytics
Logging and Monitoring
Image Processing
Video Processing
Email
SMS
Notifications
Geolocation
Weather
Social Media Rate Limiting
File Storage Notification Queue
API gateway Backup and Recovery
Caching
SPECIALIZATION
6. How small is too small?
Can the amount of API features be related to the success of a business?
Source: The Impact of a Large Number of API Features, Bruno Pedro
● Ratio of operations per
feature below 10.
● Perceived complexity
impacts support
requirements.
● Design impacts
discoverability, and
developer experience.
Diagrams represent HTTP method → API features → capabilities they provide
SPECIALIZATION
8. The total number of APIs worldwide (public and private) is
approaching 200 million, according to A 2021 F5 report.
Why developer experience (DX) matters
# of APIs
Reduce cost
Can improving developer experience actually reduce costs? The
answer is a resounding "yes."
Marketing DX is a natural marketing tool. Docs / dev portal are the window to
your product.
EXPERIENCE
9. ✓ Tell me what this does
✓ Public documentation
✓ Show me the code already
✓ Have an auth guide
✓ Make sure OpenAPI = production
✓ Have a playground in the docs
✓ Better yet, get it in my IDE
✓ Consider AI for ultimate DX
Make a great API DX
Ways to
Souce: How to Make A Rickdiculous Developer Experience For Your API, Doerrfeld, 2023.
EXPERIENCE
11. You need a
good name.
"Random Access Memories" by Daft
Punk
NAMING
12. Part of the REST standard is to use
pluralized resources with the correct
HTTP verbs.
- Steve McDougall, "The Ten REST Commandments,"
Nordic APIs. 2023
API naming
“RESTful URIs should refer to a resource
that is a thing (noun) instead of referring
to an action (verb)"
- RESTfulAPI.net
● Resources as nouns:
/albums/{id} instead of
/getAlbum
● Pluralized resources: /albums
instead of /album
● Forward slashes for hierarchy
● Punctuation for lists
● Lowercase letters and dashes
● And more…
Source: 10+ Best Practices for Naming API
Endpoints, Nordic APIs. Last updated 2023.
NAMING
13. It’s gotta be
quality.
In the late 70s, Steely Dan
pioneered contemporary recording
techniques.
QUALITY
14. Steely Dan level APIs are:
● Intentional: Functions as expected,
design-first
● Well-performed: High performance
quality
● Produced well: Meets modern
standards
● Precise: No errors, vulnerability-free
So, how do we make sure our APIs are a good quality production?
QUALITY
15. API quality benchmarks: FinTech
Source: APIContext
One method: comparing against industry benchmarks
QUALITY
17. API quality screening
Test APIs against best practices. Design-first dev for the win!
Results from scanning OpenAI's YAML OpenAPI definition:
(https://raw.githubusercontent.com/openai/openai-
openapi/master/openapi.yaml)
RateMyOpenAPI
API Insights
- Inconsistent naming
- Not verbose error responses
- Lack of performance headers
- Content type security policies
App.Escape.Tech
- Missing operation descriptions
- Missing examples
- Undefined errors
- Potential for information
disclosure
- Duplicated objects
QUALITY
19. API architectural style trends
Takeaway: REST-first, but consider GraphQL and async styles for usability
Source: Postman State of the API Report, 2023
STYLE
20. Who is keeping an API style
guide?
STYLE
Resource alert! API style guides from Atlassian, Cisco, Google, Microsoft, Heroku, and
others: https://apistylebook.com/
22. "Similar Hallways"
Repurposed from Kristen Womack's talk 'Level Up Your Developer Experience: Creating Awesome Support
Resources' at the 2023 Platform Summit in Stockholm.
CONSISTENCY
24. Both are
cataloged
A catalog number is a specific alphanumeric
number a record label assigns for a release.
Ex. Abbey Road" by The Beatles (Apple Records)
- Catalog number: SO-383
CATALOGING
26. - 2023 State of the API Report, Postman
52% of respondents said lack of documentation was
the biggest problem
API documentation #1 issue
Only 10% of organizations fully document their APIs
- 2023 report from Enterprise Management
Associates (EMA)
CATALOGING
27. - Rapid’s 2022 State of APIs report
Companies with 10,000 or more employees tend to
have over 250 internal APIs
API sprawl issues
● What is API sprawl?
○ Sheer increase in APIs
○ Unmitigated technology adoption
○ Lack of governance
○ Lack of standards
CATALOGING
28. New Risks on OWASP Top
Ten for APIs (2023)
API9:2023 - Improper Inventory Management
API10:2023 - Unsafe Consumption of APIs
API6:2023 - Unrestricted Access to Sensitive
Business Flows
CATALOGING
29. Both are
products.
"Thriller," one of the most
commercially successful albums of
all time, has sold over 66 million
copies worldwide.
PRODUCTIZATION
30. - Jason Harmon
CTO at Stoplight and API Intersection podcast host.
Formerly at Expedia Group and Paypal.
"It's just another product…The future of APIs is all
about product management."
The API is a product.
PRODUCTIZATION
31. - MuleSoft and Deloitte Digital 2023
Connectivity Benchmark Report.
APIs and API-related
implementations generated 41%
of revenue for organizations in
the US
API monetization
● Direct monetization is just one
model!
On productifying APIs…
Source: ProgrammableWeb 2020 Guide to API Business Models, Mulesoft. Pg. 6
PRODUCTIZATION
32. Some are
just a one
hit wonder
'Take On Me' by A-ha
PRODUCTIZATION
33. The Anatomy of an API in 2023: A Comprehensive Overview: Treblle analyzed 1 billion
requests from 9,000 different APIs.
https://blog.treblle.com/the-anatomy-of-an-api-in-2023-a-comprehensive-overview/
● 68% of API endpoints use
GET HTTP method
○ (Might not be using HTTP
methods correctly…)
● 20% of API endpoints
remain unused for over
30 days.
What's your one hit wonder?
PRODUCTIZATION
34. You gotta
secure
your IP.
In 2011 Skrillex lost an
entire unreleased album
after his laptops and
hard drives were stolen.
SECURITY
35. "60% of organizations said they
experienced at least one API-related
breach in the past two years."
-Traceable's Global State of API Security 2023
API attacks on the rise
SECURITY
36. 5 Examples of Recent
Terrible API Breaches
Trello
- When? Early 2024
- What? Endpoint
overshared data /
business logic abuse
- Takeaway: Avoid
data overexposure,
apply rate limiting
Hugging Face
- When? Late 2023
- What? 1,500 tokens
left exposed
- Takeaway: Protect
keys/secrets, don't
store publicly
T-Mobile
- When? Early 2023
- What? 37 million
accounts
compromised w/ auth
issue.
- Takeaway: Have
proper authn/authz
checks
Kronos
- When? Late 2023
- What? $25 million in
ETH stolen
- Takeaway: Avoid
leaking unauthorized
API keys
Optus
- When? Mid-2022
- What? 11 million
customer records
leaked from open
endpoint.
- Takeaway: Take a
zero-trust approach
w/ authn and authz.
Read: Takeaways From 5 Terrible API Breaches, Doerrfeld, 2023.
SECURITY
39. Thank you!
Going platinum:
How to make a hit API
Bill Doerrfeld
Bill Doerrfeld. Nordic APIs Austin API Summit. March 2024
Notes de l'éditeur
*Don't need to go through this
You need to find your sound. And in technology, you nee to find your specizlied purpose.
In the age of the internet and online streaming, micro-genres of music have proliferated. Interestingly, around
In the age of the internet and online streaming, micro-genres of music have proliferated. While the typical genres still exist, there are a number of micro genres on offer now, from acid jazz to shoegaze, drone, post-metal, bedroom pop, and beyond. Communities. Interestingly, around
Services are more and more domain-driven and based on discrete functions. And, usually expoised via an API.
In the age of the internet and online streaming, micro-genres of music have proliferated. While the typical genres still exist, there are a number of micro genres on offer now, from acid jazz to shoegaze, drone, post-metal, bedroom pop, and beyond. Communities. Interestingly, around
Services are more and more domain-driven and based on discrete functions. And, usually expoised via an API.
To take the music analogy one step further. Similar to how streaming platforms allow unpaid users to test snippets of songs (or stream for free for a limited time), developer portals should enable instant testing. A great place, in my opinion, is to insert this in the docmetnation.
My favorite double entendre
Zuplo: https://ratemyopenapi.com/report/512eeb96-6a90-4e70-bc63-eced1aa9f308 - I like because it can highlight exactly where in the schema the violation occurred and suggest AI-driven suggestions.
Treblle: https://apiinsights.io/reports/11bfd848-5f97-4280-978a-a6146e6fec69
REST is still the dominant style for web APIs. But, year over year, REST is steadily losing popularity to newcomer API design styles. In 2023, GraphL usurped SOAP as the 3rd most popular options for API design styles.
REST is still the dominant style for web APIs. But, year over year, REST is steadily losing popularity to newcomer API design styles. In 2023, GraphL usurped SOAP as the 3rd most popular options for API design styles.
Music listeners typically like an artist that has their own sound, which is pretty consistent from album to album. The Beatles, however are an exception to the rule. They pioneered various genres and heavily evolved their sound from album to album, starting with catchy pop tunes, moving into folk, psychedelic rock, folk, indian music, and total experimentation.
APIs, on the other hand, should not follow the Beatles's lead. Your API catalog should not probably not look like this. Instead, consistency is key when designing APIs. Because, a hodgepodge portfolio of disparate API styles, URL conventions, naming standards, is just a recipe for poor developer experience and even sprawl issues.
## Both Are Products
You need a business perspective around a successful project, or else it will fail in the market. This is true for APIs, too. So, how is your API designed and packaged?
At Nordic APIs, we've tracked the emergence of API-first thinking that embraces the API as a product mantra. "The API is no different than another product," said Jason Harmon, CTO of Stoplight and API Intersections podcast host, in his presentation '[API-as-a-product: The Key to a Successful API Program](https://youtu.be/G3UZ_oiIw6I?si=sPdbvY_r3seX4FLM),' given at the Platform Summit 2023. "The future of APIs is all about product management."
To Harmon, treating your API as a product means seeing the overall network and relationship with your partners. It requires demonstrating busines value and acquiring executive buy-in. He also advocates for a customer-first approach that informs API design. Other product-thinking techniques certainly apply to APIs, such as demonstrating business value, shipping early on and iterating, and documenting the service well. Which brings us to our next comparison.
## Both Are Products
You need a business perspective around a successful project, or else it will fail in the market. This is true for APIs, too. So, how is your API designed and packaged?
At Nordic APIs, we've tracked the emergence of API-first thinking that embraces the API as a product mantra. "The API is no different than another product," said Jason Harmon, CTO of Stoplight and API Intersections podcast host, in his presentation '[API-as-a-product: The Key to a Successful API Program](https://youtu.be/G3UZ_oiIw6I?si=sPdbvY_r3seX4FLM),' given at the Platform Summit 2023. "The future of APIs is all about product management."
To Harmon, treating your API as a product means seeing the overall network and relationship with your partners. It requires demonstrating busines value and acquiring executive buy-in. He also advocates for a customer-first approach that informs API design. Other product-thinking techniques certainly apply to APIs, such as demonstrating business value, shipping early on and iterating, and documenting the service well. Which brings us to our next comparison.
## Both Are Products
You need a business perspective around a successful project, or else it will fail in the market. This is true for APIs, too. So, how is your API designed and packaged?
At Nordic APIs, we've tracked the emergence of API-first thinking that embraces the API as a product mantra. "The API is no different than another product," said Jason Harmon, CTO of Stoplight and API Intersections podcast host, in his presentation '[API-as-a-product: The Key to a Successful API Program](https://youtu.be/G3UZ_oiIw6I?si=sPdbvY_r3seX4FLM),' given at the Platform Summit 2023. "The future of APIs is all about product management."
To Harmon, treating your API as a product means seeing the overall network and relationship with your partners. It requires demonstrating busines value and acquiring executive buy-in. He also advocates for a customer-first approach that informs API design. Other product-thinking techniques certainly apply to APIs, such as demonstrating business value, shipping early on and iterating, and documenting the service well. Which brings us to our next comparison.
When it comes down to it, both are products. You need a business perspective around a successful project, or else it will fail in the market. This is true for music albums. And it's true for APIs, too.
## Both Are Products
You need a business perspective around a successful project, or else it will fail in the market. This is true for APIs, too. So, how is your API designed and packaged?
At Nordic APIs, we've tracked the emergence of API-first thinking that embraces the API as a product mantra. "The API is no different than another product," said Jason Harmon, CTO of Stoplight and API Intersections podcast host, in his presentation '[API-as-a-product: The Key to a Successful API Program](https://youtu.be/G3UZ_oiIw6I?si=sPdbvY_r3seX4FLM),' given at the Platform Summit 2023. "The future of APIs is all about product management."
To Harmon, treating your API as a product means seeing the overall network and relationship with your partners. It requires demonstrating busines value and acquiring executive buy-in. He also advocates for a customer-first approach that informs API design. Other product-thinking techniques certainly apply to APIs, such as demonstrating business value, shipping early on and iterating, and documenting the service well. Which brings us to our next comparison.
## Both Are Products
You need a business perspective around a successful project, or else it will fail in the market. This is true for APIs, too. So, how is your API designed and packaged?
At Nordic APIs, we've tracked the emergence of API-first thinking that embraces the API as a product mantra. "The API is no different than another product," said Jason Harmon, CTO of Stoplight and API Intersections podcast host, in his presentation '[API-as-a-product: The Key to a Successful API Program](https://youtu.be/G3UZ_oiIw6I?si=sPdbvY_r3seX4FLM),' given at the Platform Summit 2023. "The future of APIs is all about product management."
To Harmon, treating your API as a product means seeing the overall network and relationship with your partners. It requires demonstrating busines value and acquiring executive buy-in. He also advocates for a customer-first approach that informs API design. Other product-thinking techniques certainly apply to APIs, such as demonstrating business value, shipping early on and iterating, and documenting the service well. Which brings us to our next comparison.
Like those deep cuts on an album that aren't many getting plays, APIs have their hit tracks, too. A study by Treblle recently confirmed this. As explained in [The Anatomy of an API in 2023](https://report.treblle.com/) report, the Treblle team analyzed over one billion requests across 9,000 APIs for trends and found that GET methods are, by far, the most popular type of API call.
But most interesting to me is that the report sheds light on the fact that many APIs are sitting inactive and unused. One in five API endpoints are zombie APIs, meaning that they haven't been used by anyone in the last 30 days. The takeaway is to analyze your traffic and shutter APIs that aren't used at all — as this will help maintenance and security.
Furthermore, knowing your high-traffic endpoints could help inform your true value proposition. Then, you can optimize the developer journey more for that use case and truly reap the benefits of your specialized, one-hit wonder.
## Both Are Products
You need a business perspective around a successful project, or else it will fail in the market. This is true for APIs, too. So, how is your API designed and packaged?
At Nordic APIs, we've tracked the emergence of API-first thinking that embraces the API as a product mantra. "The API is no different than another product," said Jason Harmon, CTO of Stoplight and API Intersections podcast host, in his presentation '[API-as-a-product: The Key to a Successful API Program](https://youtu.be/G3UZ_oiIw6I?si=sPdbvY_r3seX4FLM),' given at the Platform Summit 2023. "The future of APIs is all about product management."
To Harmon, treating your API as a product means seeing the overall network and relationship with your partners. It requires demonstrating busines value and acquiring executive buy-in. He also advocates for a customer-first approach that informs API design. Other product-thinking techniques certainly apply to APIs, such as demonstrating business value, shipping early on and iterating, and documenting the service well. Which brings us to our next comparison.
## Both Are Products
You need a business perspective around a successful project, or else it will fail in the market. This is true for APIs, too. So, how is your API designed and packaged?
At Nordic APIs, we've tracked the emergence of API-first thinking that embraces the API as a product mantra. "The API is no different than another product," said Jason Harmon, CTO of Stoplight and API Intersections podcast host, in his presentation '[API-as-a-product: The Key to a Successful API Program](https://youtu.be/G3UZ_oiIw6I?si=sPdbvY_r3seX4FLM),' given at the Platform Summit 2023. "The future of APIs is all about product management."
To Harmon, treating your API as a product means seeing the overall network and relationship with your partners. It requires demonstrating busines value and acquiring executive buy-in. He also advocates for a customer-first approach that informs API design. Other product-thinking techniques certainly apply to APIs, such as demonstrating business value, shipping early on and iterating, and documenting the service well. Which brings us to our next comparison.
I am the Editor in Chief of Nordic APIs blog, which publishes thought pieces on the API economy. We've been tracking the rise of APIs since 2013, and writing articles on the design, development, strategy, business, and security of APIs. There's a lot to unpack.