Do I Need an Identity API (Part 1 of 3)
There is a lot of talk today about the API Economy. The vision of a vast universe of distributed business services that can be knit together on the fly to fulfill a broader business purpose is slowly but surely moving towards reality. In our world, this translates into APIs that can help facilitate Identity and Access Management (IAM) functions. This is the first of a short series of posts that will help you learn:
- If you need an Identity API
- How to go about building an Identity API
- How to make sure it's successful
First lets define what an API is, API stands for application programming interface. An API provides a service for colleagues, partners, or third-party developers to access data and services to build targeted applications such as mobile apps quickly. Twitter and Facebook APIs are famous examples. There are APIs that are open to any developer, APIs that are open only to partners, and APIs that are used internally to help run the business better and facilitate collaboration between teams.
An API then, is essentially a contract. Once such a contract is in place, developers are enticed to use the API because they know they can rely on it. The contract increases confidence, which increases adoption. The contract also makes the connection between provider and consumer much more efficient since the interfaces are documented, consistent, and predictable.
So what is an Identity API? An Identity API is a well-defined HTTP/S based service that makes everything from a single focused task (i.e. reset password) to the entirety of your Identity and Access Management infrastructure available to developers. It could be a public API, but more likely it is a private one available to other internal groups and business partners. It might allow an external partner to register contractors, the portal team to build a customer registration site, or the marketing department to manage agency access to digital assets, or anything in between that your IAM infrastructure supports.
So how do I know if I need an Identity API? Well, like many things in life, it depends, but consider a few questions:
- Are your internal customers or partners asking for an API? Sometimes sophisticated customers or partners ask if you have an API to help make a technical integration easier.
- Do you need more flexibility in providing content? APIs can provide extreme flexibility for providing IAM content when and how you want to, under your terms and with granular control, while meeting your user’s needs.
- Do you want to scale integration with customers and partners? Having an Identity API provides a simple and flexible way to integrate with high-volume customers and partners.
- Would an API improve your IAM technical architecture? Sometimes creating a separation layer between systems allows for much more flexibility and agility.
- Are you being asked to support IAM in a second mobile app? Time is usually of the essence for IAM support in the first mobile app, when it comes time to create or support the second one though, IAM teams frequently realize they are at risk for getting into on ongoing cycle of repeating a great deal of work for each additional app.
Assuming you answered yes to at least of couple of the questions above, you might want to consider adding a API to your IAM infrastructure stack. Some best practices to keep in mind as you enter the planning phase:
- Start small. Pick an internal customer or business partner that is asking for an API and has developers that are willing to work with you to prototype something that is useful to them, you will learn a great deal.
- Make your Identity API easy to try and use. Successful API programs remove all barriers to use, offering immediate usefulness whenever possible. If you require registration for use, make it simple. Provide an interactive sandbox so developers can play with the API prior to writing any code.
- Less is more. Start with the absolute minimum of functionality and then add capabilities over time, as real world feedback is collected.
And don’t underestimate the importance in designing and deploying infrastructure and security, taking care of legal considerations, putting in place an operational framework, and marketing your service (you do want people to use it after all). We will take a deeper look at these topics in upcoming posts.