Skip to content

API Management Architecture – An introduction

In this blog, I will share my experience on API Management platform and architecture. I am not going to discuss about Restful API and how they benefit an organization. I believe now we do understand the need and the benefit of RestFul APIs for an organization to boost its digital economy. In the blog I will touch upon on what is API management, why we need it and more focus on the components and the architecture.

Why API Management a ‘Must’ have?

As the name suggests, an API Management platform is used to manage the consumer grade APIs that an organization owns. It comprises of a set of tools to manage and expose APIs to the outside world in a secure and efficient manner. Below the key pillars of having an API Management Platform for your organization.


The key aspect here is security. Unlocking business assets by means of API to the outside world is not an easy task. With so much security vulnerabilities present in and around us, we need a robust platform with state of art security measures to protect our assets and provide the right information to the right consumers.

API Management –  Typical architecture setup

An ideal API management platform is a layered architecture of different components interacting with each other. Below the core components of an API Management platform.

  1. API Policy Manager
  2. API Portal
  3. API Lifecycle Manager
  4. API Analytics
  5. API Gateway

The image below showcases the reference architecture and how these components interact with each other.

The above architectural scheme shows a typical layered API Management platform setup where an external and an internal API Gateway are interacting with different components . Let’s walk through each of the components to understand their roles and responsibilities.

a) API Policy Manager – Policy Manager is an administrative component which is used to manage the life-cycle of the policies that we need to define to manage the APIs. Like a normal APIs, the policy has its own life-cycle management and goes through:

i) Design
ii) Develop
iii) Testing
iv) Deployment
v) Deprecated
vi) Retired

Every product provides out-of-the-box policies that enable you to augment your API with sophisticated features to control traffic, enhance performance, enforce security, and increase the utility of your APIs, without requiring you to write any code or to modify any back-end services. Extension policies enable you to implement custom logic in the form of JavaScript, Python, Java, and XSLT.

b) API Portal – The portal, sometimes known as the community manager, is used to manage the APIs exposed to the developers or community members. Their usage is twofold.

The portal is used by the API Owners/API developers to onboard the APIs – i.e. managing the complete life-cycle of APIs, onboarding community developers and their consuming applications, granting and controlling access of the API by means of applying plans and contracts.

The portal is also used by the external/internal developers and different community managers who can view the API’s availability, document the APIs and test APIs. Usually this is powered by CMS which can be used to build custom sites and to interact with the developers.

c) API Life-cycle Manager – The API life-cycle manager is used to manage the life-cycle state of the API. Usually an API goes through Design -> Development -> Testing -> Deployment -> Deprecated -> Retired. The life-cycle manager provides you the capability to build and manage the deployment of APIs across the environment stacks till production.

d) API Analytics – The API Analytics platform provides various dashboards to report the business analytics as well as the operational aspects. The analytics platform provides in-depth views of the API usage and can provide insights on the usage patterns and trends. And thus helps business to decide whether to monetize the API.

From operation aspects, it gives insight on the error and performance constraint of an API.

e) API Gateway – The crucial component of the API Management platform suite. The gateway sits between API consumers and providers, and provides the controlled access to the back end services/API. The gateway reads the API configuration and the associated policies, rules and metadata from the policy manager,, and performs authentication, authorization, SSL termination, and rate limiting. The gateway also integrates with the external or internal IAM/Oauth server for token validation.

The table below explains the interaction among the different components and the relationships between them.

From To Purpose
API Gateway API Policy Manager Read the policies, rules attached with the API.

Legal contracts and agreements for a consumer to access API.

API Portal API Policy Manager API Owner/Developers defines API, policies, license, contracts according to the business needs and gets stored in the database which can be read by the policy manager.
API Lifecycle Manager API Policy Manager To manage the life-cycle of APIs, Policies and other rules.
API Lifecycle Manager API Gateway To manage the deployment of the APIs and its associated policies. 
API Gateway NoSQL No SQL database is used for storing the audit logs, metrics data and usage data. API Gateway interacts directly with NoSQL database to store the logs which will be used by API analytics to prepare the dashboard.
API Policy Manager RDBMS RDBMS is necessary to store the relational data. Mostly these are API configurations and policies which would be accessed by the API Gateway using policy manager to enforce the policy to access the API. 
NoSQL API Analytics API Analytics will read the usage, alerts and metrics data from NoSQL database to prepare the dashboards.


Next blog: Architectural Considerations

The next blog will go into Architectural Considerations, Principles and Pitfalls.

More about API Management

The digital ecosystem is evolving in many directions. Organizations are adopting multiple channels to drive newer sales channels, trigger new business models and generate more and more revenue. This triggers the need of unlocking business assets to the outside world in a secure manner. The increasing demand from Internet Business Models, IoT, social media and Cloud Adoption will exponentially increase the need to expose the business assets to the outside world by means of API.