In order to answer this question, let's look at how APIs can be categorized.
First of all, let's look at API Exposure. The two categories are:
- External : Able to be used outside the organization.
- Internal : Used only inside the organization
- Open: Anybody can use the API, anonymously with no controls
- Requiring Registration: Developers are identified with API Keys and usage is monitored accordingly
- Enterprise: Goes beyond just developer registration, adding tight controls on sensitive data, integration with enterprise systems such as Identity Management and event monitoring (SIEM, Splunk, etc).
These axes are orthogonal. Using these axes, APIs divide into six categories. Let's look at the categories:
External APIsOpen External APIs
These are APIs which are open to anybody to access. Usually they take the form of read-only public data feeds.
An example is the Nobel Prize API, which allows a developer to query information about Nobel Prize winners. Another example is the Massachusetts Roadway Events API, which provides developers with access to the (many) roadworks projects happening in Massachusetts at any given moment.
External APIs requiring Registration
These are APIs which are open to any developer to use, but require the developer to register. Once a developer registers, they typically get an API Key. It's important to note that the API Key is not necessarily used for authentication, but instead it is used for identification of the app developer. In this way, the API publisher can apply limits (throttling) to the usage of their API, and track the usage also.
An example is the US Postal Service's Shipping API. Any developer can use this, but they must register first. The Google Maps API is another good example of a External API which requires registration. API Keys are required in order to use this API, but any developer can sign up for it. Another example is the Staples API which allows the Staples catalog to be queried. The data is not sensitive, but the developer access is controlled with API Keys.
External Enterprise APIs
These APIs are used to conduct business, or to access sensitive data such as health records. Documentation and information about the API is sometimes public, as in the case of some payments APIs. In many cases though, developer access to the API is by invitation only, and the documentation may be private. An example is a large HMO in the US which provides an API to retrieve patient prescription information. Access to this API is tightly controlled. Another example, in the B2B space, is a large 401.K provider which allows its corporate customers to provision their new employees with 401.K plans via an API. Access to this API is also tightly controlled.
Other examples of Enterprise External APIs come from the "Internet of Things" where devices such as electricity meters transmit sensitive information via APIs, and this data must be tightly protected.
Enterprise External APIs are typically linked to other enterprise systems such as enterprise Identity Management (IdM).
Internal APIsJust like on the Internet, lightweight REST APIs are taking over from heavyweight SOAP services inside the organization. However, SOAP and XML are still a fact of life, which means that Internal APIs typically span both XML and JSON.
Open Internal APIs
An example is a company directory API. It is open to all access.
Internal APIs requiring Registration
In some large organizations, as part of an initiative to allow internal developers to develop apps to be used by company employees, some functionality may be exposed as APIs. Access to these APIs is managed, so that developers can sign up, and usage of the APIs can be monitored. An example is an inventory lookup API, which checks the inventory of a particular item in a warehouse. This may be used to develop internal apps for personnel in the field. Internal developers sign up to use this API, get their API keys, and the API usage is monitored in order to prevent data-mining or excessive usage. However, data sensitivity itself is low.
Internal Enterprise APIs
These include APIs used to access private customer data, which may be subject to regulatory controls. Enterprise-class controls are required for these APIs. Even though its exposure is just internal to the organization, its data sensitivity is high. Remember that many privacy breaches come from inside the organization.
In the financial services sector, these include APIs to perform fund management operations such as buying and selling stock. For example, in one large Mutual Fund company, fund managers required the ability to manage their funds via iPad apps. This required access to Internal Enterprise APIs from iPads. This was delivered using tightly-controlled Internal Enterprise APIs.
In the healthcare sector, this category includes APIs which access patient data from inside hospitals and health insurer systems.
On top of simply registering developers, Internal Enterprise APIs require rules to be in place for sensitive data protection, and for a signed audit trail, to prove which user has accessed the API. Internal Enterprise APIs also must integrate with enterprise Identity Management, such as directories and single sign-on.