Who Watches the Watchmen
Self-Regulation, although sometimes viewed in a negative light, is actually a key cog in today’s global economy. It has helped a wide range of industries, from advertising, to health care, to professional sports. In advertising, groups like the Interactive Advertising Bureau and the National Advertising Review Council have helped protect consumers and monitor the industry. Within the health care industry, the American Medical Association has supplemented the government regulators to assist with maintaining the strict practices and procedures. The world of professional and amateur sports is very fragmented, however they all have governing bodies that assist with maintaining regulations (e.g. NCAA, NFL, Little League Baseball). All of these industries took different routes, but all had similar landing zones. Through establishing industry standards, setting benchmarks and maintaining a non-vertically owned market, they have limited outside regulatory actions as much as they could and have created thriving, profitable markets. With the API Industry and the Internet of Things (IoT) market growing exponentially, regulation is going to be key to sustaining that growth.
There are three parts to self-regulation: creating regulations, monitoring compliance, and enforcing regulations. Within the API/IoT Industry there have been great strides made in all three of these parts. The API privacy standard OAuth has been extremely successful, standard practices like basic HTML codes create some uniformity and benchmarks like average latency and pass rate of the API. This is a great foundation, but it needs to be fortified and built upon. As our world becomes more connected and the Internet of Things takes a stronger hold on everyday life, the use of APIs will continue to skyrocket.
Privacy is always going to be a predator v. prey relationship and require constant updating, but keeping data private is in the interest of both the consumer and supplier so that issue will always be front and center.
Basic HTTP Status codes don’t appear to be going anywhere anytime soon, but developers are building upon tribal knowledge and learning from their past mistakes. Keep an eye on ProgrammableWeb or SD Times for a week and you are bound to see a “Use These HTTP Codes When Building Your App” article. HTTP Status codes have been standardized, but there are still some glaring holes with how these codes are being implemented. For example, an API may show an HTTP 200 response, but the call could have actually returned an error. Or, the issue of Response Validity – what is the API actually returning? Does it always return the expected result, or is the content of the packet incorrect? We expect an industry standard to appear (such as establishing a norm of not returning a HTTP 200 response if there is something potentially unexpected to the API user in the payload) and, over time, these wrinkles will flatten out
API Performance Benchmarks are not as far along as the others within the API Self-Regulation foundation. Just about every API has a self-stated Average Latency (how long an API call took on average) and Pass Rate. Developers utilize these benchmarks to determine how reliable an API is, and whether they should incorporate it into their mobile app or website. The main issue here is how these metrics are generated, verified and if they are consistent.
A good portion of the time, the Average Latency and Pass Rate are generated with results from the testing period of the API. Even with the most rigorous testing, these numbers will still not be a direct reflection of how the API performs in the wild. Beyond that, the testing process for an API should only once the API has been retired, meaning a popular, well performing API should be continuously monitored and optimized.
In the current market, when an API service is sold to a user, the Average Latency and Pass Rate of an API is benchmarked and stated in the Service-level Agreement (SLA). Technically and contractually, the API needs to meet these metrics on average in order to not break the SLA and potentially void the contract.
While Privacy will remain the biggest hurdle in the rapid expansion of the API Economy, we believe more attention needs to be paid to creating checks and balances within the market. When a new automobile is brought to the market, groups outside of the original auto-maker perform tests to determine what the estimated miles per gallon will be. This was started to protect the consumers. Imagine if mileage estimates were left up to the automakers, or worse, the car salesman.
This is where tools like APIContext can really fill a much needed gap in our Self-Regulatory Foundation. Instead of relying on the API providers or gateways to determine performance benchmarks on the APIs they sell, a third party product can give a bias free check. Beyond just setting those benchmarks, continuous monitoring can ensure that those numbers don’t change over time and drop below what was agreed upon. A few of the major API management companies have taken note and are starting to offer third party monitoring plugins, for their dashboards.
Third party monitoring is nothing new, but it is still a young branch of the API economy. Much like third party tracking within the advertising industry, third party auditing within the financial industry or third party reviews in the food industry. This is something the API market needs to adopt universally and make industry standard. Once this is set, and privacy issues are limited, there is nothing stopping the API/IoT Economy from continuing the exponential growth it has shown of late.
Don’t get caught with your stats down! Monitor the performance of your critical APIs with APIContext. Get started TODAY!
