Table of Contents
It can be frustrating to understand API governance when you’re new to API management. Many articles discuss the details of one aspect of API governance in-depth, leading the reader farther from the big picture. Thus, their understanding suffers, and they miss the purpose of governance.
This article hopes to center your understanding of API governance by providing the benefits, essential definitions, and best practices. In the end, we hope that you can take your understanding of API governance and apply it to the areas that best fit your needs.
Learn more about Executive Support, Structure, & API Governance with our Ebook.
In this ebook, you’ll learn how to:
- Determine how the APIs you are using – private, public, third-party, and partner APIs – fit into your strategy
- Build internal structure and support for your API program
- Create an effective strategy leveraging five key components
An API is an application programming interface. People interact with applications through the user-interface (also known as graphical user interface, or GUI). Conversely, applications don’t need a graphical interface to interact with one another. Applications can interact much more efficiently using code, protocols, and procedures.
Technically, an API can be any application interfacing with another. This could be on your computer, in an internet-of-things (IoT) device, or over a network. Recently, API has become synonymous with web-API. This is because web-based APIs are the most popular.
Web APIs follow HTTP protocols to share resources over a network. The HTTP protocols include recognizable terms like status codes and request types.
“[Governance is] the processes of interaction and decision-making among the actors involved in a collective problem that lead to the creation, reinforcement, or reproduction of social norms and institutions”
Marc Hufty 
This is a traditional definition of governance, but it allows us to create a workable definition: API governance is the processes and collective decision-making done by stakeholders when creating and reproducing web-based APIs.
Collective decision-making is a vital part of that sentence. In more simple terms, a collective decision is a rule or policy. The result of API governance is creating policies, rules, and conventions that allow the parties involved to work independently of one another but effectively towards the same goal.
API governance produces policies concerned with:
These all sound like important aspects when talking about APIs. Furthermore, the fact that all policies are important produces its own set of problems.
Challenges to API Governance
The difficulties of API governance start to appear with growth. A good problem to have is the need to govern APIs across multiple teams, cloud environments, and gateways. That’s where governance pays off.
I don’t want to get ahead of myself, but the benefits of API governance are a direct response to the challenges that organizations face when APIs for created by different teams at the same time, or by the same team at a different time. Who makes decisions? Do we support SAML? What metadata can we expect from the gateway? What did we do last time?
However, the challenges of API governance come from the edge cases. It’s at the points in the application, or API, where the product is stretched or expanding. That’s when conventions, rules, and policies are tested because they become less convenient. Conversely, if there are no policies, implementations get messy, become difficult to use, and break.
In the next section, we’ll further explore API governance’s benefits and why an organization would want to create API policies.
Benefits of API Governance
API governance concerns itself with providing standardized conventions for documentation and consistent security and access control mechanisms.
Ed Anuff 
API governance is beneficial when a team is actively creating, updating, and managing multiple APIs during their lifecycles. This is entirely due to the concept of standardization.
Standardized APIs guide teams when it comes to delivering APIs. Policy creation is designed for consistency across APIs. Therefore, when a question arises involving versioning, documenting, or deprecating, there is no debate on what to do. The collective decision has already been made into a policy to follow.
Standardizing APIs does not mean centralizing them. On the contrary, consistent APIs allow for decentralized API creation because they all follow the same rules. The APIs are consistent, compliant, and reusable.
With policies in place, designers, developers, and DevOps are informed about the API before it’s been created. This makes API governance an ideal choice for an API First approach.
In API First, the APIs become the focal points for product creation. This is due to the assumption that mobile applications, client applications, and developers will all be interacting with the API in one capacity or another. The approach has grown in popularity with the rise of API for application infrastructure and microservices.
API Governance Policy Example
An example policy common with API governance is for all APIs to follow a certain version of the OpenAPI specification.
The OpenAPI Specification (OAS) defines a standard, programming language-agnostic interface description for REST APIs, which allows both humans and computers to discover and understand the capabilities of a service without requiring access to source code, additional documentation, or inspection of network traffic.
OpenAPI Initiative 
Following a defined OpenAPI spec version lets developers, QA (quality assurance testing), and other engineers start work on the API before a single line of code has been written. Additionally, many testing tools can read and integrate with the OpenAPI spec.
API Governance Best Practices
Listed below are some best practices to follow for API governance that can increase its effectiveness. Additionally, there are some strategies that help achieve the goal to standardize APIs and keep them consistent:
- Standardize metadata across APIs to track analytics. This helps with logging (errors) and tracking analytics across all your APIs. Additionally, this allows you to abstract all your API data from an application and explore application analytics.
- Set up role-based access control. Start with setting user permissions, with a default zero-access group, and provide access to members as needed.
- Deploy common schema across all API requests and responses
- Establish machine-readable rules for validating the use of common patterns
- Adopt a versioning scheme. Consistent versioning allows broad communication of features and compatibility.
- Meet all governance policies before production deployment. If your organization has a policy, it’s best to ensure that policy is followed before the API is put into production.
- Avoid one-off integrations. One-off integrations and special cases create wasted time because people have to figure out the special use case every time a new change is made.
- Have a definition of success while measuring and reporting on outcomes.
In closing, most teams and organizations have some form of governance in place. However, it’s a good idea to formalize your policies and rules into an API governance strategy. This helps when creating new APIs in the future and dealing with the different lifecycles of current APIs.
I hope this article helped give you an understanding of what API governance is and how it’s beneficial. Thanks for reading!
What is an API First Approach
In API First, the APIs become the focal point for product creation. This is due to the assumption that mobile applications, client applications, and developers will all be interacting with the API in one capacity or another.
Difference between API and microservice
A microservice can be an API endpoint. Microservice is a term given to specialized endpoints, or services, that perform one part of an application. Primarily, it's used to describe services in a microservice architecture. Microservice architectures are the inverse of a monolithic application.
What is an example of API governance?
An example policy that is common with API governance is for all APIs to follow a certain version of the OpenAPI specification.
1 Hufty, Marc (2011). “Investigating Policy Processes: The Governance Analytical Framework (GAF). In: Wiesmann, U., Hurni, H., et al. (Wikipedia. Accessed Feb. 2021)
2 Anuff, Ed. APIs Are Different than Integration. Apigee, p. 10, cloud.google.com/files/apigee/apigee-apis-are-different-than-integration-ebook.pdf. Accessed 15 Feb. 2021.
3 Lane, Kin. “API Governance with Postman” Postman, 26 Aug. 2020. PowerPoint presentation. https://www.slideshare.net/GetPostman/postman-webinar-api-governance-with-postman. Accessed 15 Feb. 2021.
4 “Understanding the API-First Approach to Building Products.” Swagger.io, 2021, swagger.io/resources/articles/adopting-an-api-first-approach/. Accessed 17 Feb. 2021.
5 OpenAPI Specification. edited by Darrel Miller et al., Version 3.1.0 ed., OpenAPI Initiative, 15 Feb. 2021, spec.openapis.org/oas/v3.1.0. Accessed 17 Feb. 2021.
6 Sindall, Gemma. “What Is API Governance? 8 Best Practices for API Governance Success.” DigitalML, 4 Feb. 2020, www.digitalml.com/api-governance-best-practices/. Accessed 15 Feb. 2021.