
Ask HN: Best API management solution - jbnicolai
Considering features such as:<p><pre><code>  * throttling
  * rate limiting
  * authentication and authorization
  * API usage analytics
</code></pre>
What are the experience of the collective HN crowd regarding the plethora of paid and open source tools out there? What are the pitfalls to look out for, and with which one(s) were the best experiences had?
======
brudgers
I am curious as to what tools your team has considered so far, where they
partially met the requirements, where they fell short because context will
provide relevant answers.

To put it another way, for Google the answer to the tooling question is form
an inhouse team, include one of the fellows who wrote C to develop a
performant garbage collected language, and then throw some of those quarter
million dollar a year plus engineers at writing whatever tools you want. At
the other end, some entrepreneurial idea person tells the contract PHP
programmer to make it happen next week. In the middle is someone who hires a
consultant and another person who combines Legos on AWS themselves.

Which is a round-about way of getting to the critical idea: the good solutions
for your company must fall into a very narrow range of technical _and_
business criteria.

Good luck.

~~~
jbnicolai
Good question! I didn't include too much context in the top-level question to
keep the discussion as broad as possible, and hopefully have advice applicable
to others as well, but am more than happy to expand a bit here.

It concerns a large multinational in the transport sector. While we have built
up a strong digital department, there's a lot of catching up to do, so the
more 'batteries included' any given solution has the better.

On the other hand, it's crucial that we can extend any given tool as there
will undoubtedly be unforeseen or non-default scenarios. For example: we'd
love to perform some analytics on not just what customers are calling the
APIs, but perform more detailed queries based on e.q. request parameters,
geoIP, or perhaps even User Agent headers. It is absultely no problem to have
to do this ourselves by performing raw queries on the database, and perhaps
built our own dashboard around it, but again; if there's something that
already covers a lot of these cases that'd be ideal.

The minimum required functionality is that the tool can operate as an
authenticating proxy, only passing on requests when the e.g. OAuth2 headers
are verified. Other security aspects, such as throttling and rate limiting are
a requirement as we're dealing with systems that must be protected from
unforeseen load.

Nice to haves are features such as autogenerated documentation pages, where
clients can test the APIs from within their browser. On the other hand:
rolling this ourselves using Swagger wouldn't be a problem either.

Research so far has included looking at some open source tools, e.g. Kong[1]
from Mashable, apigee[2], reading up on Gartner's magic quadrant re. API
management, and demos from IBM and CA. Costs of these vendor tools aren't a
major concern, lack of modifiability absolutely is. I'm currently leaning
towards Kong, but am wondering if others have interesting experiences to
share.

[1]: [https://getkong.org/](https://getkong.org/) [2]:
[https://apigee.com/](https://apigee.com/) [3]:
[https://www.gartner.com/doc/reprints?id=1-2DC669J&ct=150409&...](https://www.gartner.com/doc/reprints?id=1-2DC669J&ct=150409&st=sb)

~~~
mtmail
[https://www.3scale.net/](https://www.3scale.net/) comes with a lot of
batteries includes: user login, user dashboard, email handling, if you wish
even payment. It's ideal if on the engineering side you just want a simple API
call (to 3scale) that returns 'yes/no' for a given API key and everything else
can be configured and designed by a non-engineer. We got something running in
two days. It's easy to outgrow 3scale though. We're moving away from them
because we handle millions of requests/day (saving money).

You might want to check out [http://apiaxle.com/](http://apiaxle.com/). The
folks at [https://mapzen.com/blog/apiaxle/](https://mapzen.com/blog/apiaxle/)
seem happy. Near the end of the blog post they point to
[https://aws.amazon.com/api-gateway/](https://aws.amazon.com/api-gateway/) as
well.

~~~
jbnicolai
Thanks! Definitely going to look at these. Can't believe I wasn't aware AWS
came with an API gateway service as well.

------
jbnicolai
Previous discussion related to Kong [open source product from Mashape]:
[https://news.ycombinator.com/item?id=9451947](https://news.ycombinator.com/item?id=9451947)

------
Raed667
I'm not aware of a solution that does all this, but for analytics , I have
tried Keen.IO [0] which was nice.

[0] : [https://keen.io/](https://keen.io/)

------
thomas-b
Been playing with [https://tyk.io](https://tyk.io) (Open source and SaaS),
quite happy about it.

