I am fond of the saying, Who watches the watchers? When applied to the API sector, it addresses a very real problem: How do you manage standards and adherence to standards in the API space?
Nacha, the payments association, have announced new standards for electronic payments APIs. The work is being led by Apigee and Accenture, two major players in enterprise APIs. Apigee famously provided one of the major gateway products, and was acquired by Google. Accenture does consulting for many, if not all of the major global finance companies.
Standards make sense
We see a lot of divergence around the world in what “Open Banking” means to different groups. The European Union backed away from the challenge of a standard for APIs by mandating what should be shared, but then not specifying the details, the UK went the other way by mandating very specific sets of data that should be shared via Open APIs.
But just having a standard doesn’t always help in the API space. OAuth is a standard but like with Heinz there are multiple variations on it – we wrote a paper on it with the team at OAuth.io three years ago, and while it’s one of the key ways in which data is accessed securely for APIs, it’s still not evenly implemented. What works for Twitter, may work and be implemented completely differently for LinkedIn even though both technically use the same version of the ‘standard’.
So standards work best, or work at all, when there are means to measure them. We don’t self certify what a yard or meter are; a bar doesn’t randomly decide what constitutes a pint in their establishment. They work from a standard, which can be validated by somebody else. But in the API space and the IT world, what does that really mean?
Historically, however, it means that companies do just that. SRE, DevOps and other Operations groups use many tools to tell them how things are working, but we often see that the tools themselves are an integral part of the technology being monitored.
Self certifying software performance where it intersects with the real world brings its own set of challenges: just ask VW.
Foxes guarding hen houses
Do you trust the organizations supplying the technology you depend on to tell you how well they are working or whether or not they might be causing problems with other technology. The answer is obviously no, and yet we do it all the time in IT. Whether it is relying on the API Gateway logs to tell you if the gateway is functioning, or the cloud monitor from your cloud vendor to tell you that everything is working well, we use these systems to identify problems.
When the entire sector depends on interactivity and real business operations are on the line that isn’t really good enough.
We don’t trust many things purely on the say so of the people who us things, there are entire industries dedicated to scoring and measuring things in such a way as to ensure that we’re getting what we pay for. And yet, in enterprise IT we are way behind on this and still relying on the wrong tools or the wrong ways to monitor these essential contracts between people.
Kin Lane raised the issue of the API Contract 4 years ago – and we still don’t have measurable contracts for many of these items, especially around performance.
It needs to change.