Who develops in the same API for both usage internal and external (OpenAPI) ? We have developed a catalog of nearly 900 APIs for the internal use of our various information systems and wish to develop open APIs accessible to third parties outside our organization. We are questioning whether we should develop our APIs in the same way for both internal and external use (OpenAPI), or if it is preferable to differentiate the APIs we develop with a separate design for internal and external use (mainly for security reasons and regarding the range of data we can expose inside vs outside our organization). Has anyone already faced this question?

205 views2 Upvotes3 Comments
Sort By:
Oldest
Chief Technology Officer in Software13 days ago
We have exposed 200+ APIs externally to our users out of 300+ internal APIs. For internal service to service auth, we use auth based tokens and for external APIs, we refresh the token via another api every 3 hours and use that to restrict access the authorization for data.

1
VP of Engineering in Insurance (except health)11 days ago
We have faced this situation and have deployed some of our API's for external use. We created a hierarchy of API's - internal, system, experience and external. As you pointed out, external-facing API's have elevated security, performance, and documentation requirements.
1
lock icon

Please join or sign in to view more content.

By joining the Peer Community, you'll get:

  • Peer Discussions and Polls
  • One-Minute Insights
  • Connect with like-minded individuals
CIO in Services (non-Government)11 days ago
We could say that if API security follows zero trust principle, the internal API could be open.
Unfortunately, our experiences is different. Most of internal APIs are not ready to expose them publically. The restrictions from security (WAF, token management, ACLs, throttling, audit, data sensitvity and confidentality) is different. Additionally, the exposed APIs will represent you and your company, it should be consistent, easy to adapt, atomic, well documented.
It does not mean that you have to redesign whole API, but mostly it requires at least another exposure on API GW and API wrapper. Within our clients (10s of companies in financial sector, manufacturing, telco and utility, where we either deployed APIM or where we maintain/support APIM or where we do enhancements developments) there is always external APIM a separated instance (or even different tech solution) from an internal APIM.
1

Content you might like

Have you tried using feedback loops, cognitive load, flow state (from the DX research by Abi Noda and others) as your engineering metrics framework?

EngineeringKPIs, Metrics & Reporting

Yes63%

No34%

Never heard of this framework3%

View Results
1k views

For domain-driven design to work, does an organization need to have good cross-functional communication practices already in place, or does DDD help them build that collaborative relationship?

EngineeringStrategy & Architecture
IT Analyst13 days ago
Domain-driven design helps build that collaborative relationship; it’s not necessary for good practices to already be in place. Domain-driven design enhances cross-functional communication and alignment. It helps leaders ...read more
1
Read More Comments
96 views1 Upvote2 Comments

How will your team's headcount change in 2020?

Talent Management & PerformanceFinancial Management

Increase49%

Stay Flat44%

Decrease5%

View Results
2k views4 Upvotes

What’s your experience with InnerSourcing? What impact does it have on software team culture?

Culture & ValuesEngineeringEmployee Engagement+1 more
Director of Engineeringa month ago
InnerSourcing is an excellent practice for any organization to promote reusability. Reusability is crucial because it fosters cross-pollination within the organization. For instance, if you are working on an interesting project ...read more
1
Read More Comments
253 views1 Upvote2 Comments