As seen on Listen Notes.
To build a fairly complex online service today, it is inevitable that you’d have to utilize 3rd-party RESTful APIs.
Listen Notes is both an API vendor and a customer of other APIs. We provide a popular podcast API to more than 3,300 companies and developers (as of Nov. 2021). Meanwhile, we also use a bunch of 3rd-party APIs ourselves. As you can see, without using 3rd-party APIs, we couldn't build Listen Notes as a tiny team (read more: The boring technology behind a one-person Internet company).
Enjoying a view from both sides of the table, we’ve learned plenty about how to evaluate a 3rd-party API, which may be very useful to you.
Security is king! Don’t hand the keys to your company’s kingdom to API hackers...
Yariv Shivek, Vice President of Product, at Neosec - a company that focuses on reinventing API security and preventing “threats lurking inside” all your APIs by analyzing their behavior - adds the notion of supply-chain security considerations to the list of API evaluation criteria.
Shivek states that the final decision maker is the CTO, with inputs from architecture and product management - yet emphasizes that evaluating API supply-chain security is important to consider as well.
“Take for example the recent vulnerabilities found in GoCD APIs, which could leak GitHub API keys to attackers, quite literally handing them the keys to your kingdom,” Shivek warned.
Being able to quickly speak with an API company’s employee may indeed reflect the company's overall responsiveness, but that might not be enough, Shivek stated, recommending perhaps a more vital list of questions to pose to your API provider:
- What sensitive information am I placing in the hands of the API provider?
- How much do I trust them?
- How quickly will they disclose a breach to me and to other consumers of their API?
- How well do I believe they will handle such a breach?
And most importantly - stay vigilant!
- Monitor your API traffic, both outbound (APIs you provide) and inbound (APIs you consume).
- Be on the lookout for anomalies so you can act (hopefully automatically) when something bad or suspicious happens.
Overall, technical industry experts tend to point to similar archetypes at the surface level of evaluating any API: Chiefly, you’ll want to closely examine the quality of support and documentation offered, security measures, and how much the API will improve your firm's efficiency.