I have long been an advocate for wide self-service API onboarding with loose rate limits, but in the age of artificial intelligence I’ve gotten much more conservative. APIs have always been about identifying who is consuming your digital resources and imposing service composition on them, ensuring API consumers only have access to the resources they are supposed to and only the amount of those resources that are in alignment with wider business strategy. The technology for managing your API consumers hasn’t changed in 15 years, but my guidance on how to use them has in the following ways.
- Slow Your Onboarding - Slow down your onboarding process with manual human approvals, or at a minimum having strict rate limits for all unverified self-service consumers of your APIs.
- Know Your Humans - Require your developers sign up with a corporate email or one that is associated with an identifiable human working for a legitimate business entity before giving access.
- Usage Patterns - Have a solid understanding of the usage patterns you are looking to support with your API and have those well defined as rate limits applied by the second, minute, days, weeks, and months.
- Rate Limits - Leverage well-defined rate limits for all API consumers — keeping strict for new users and then loosen them for your consumers who are generating revenue and value for your business.
- Regular Audits - Regularly go through your API consumers and audit who they are and how they are using your digital resources, and when it isn’t meeting the active user patterns you want—shut them off.
The age of you build it and they will come for APIs is over. You need to know all of your API consumers and have solid API plans with conservative API rate limits in place for all digital resources. APIs are all about having your enterprise digital resources and capabilities well defined, with appropriate plans and rate limits surrounding them, and based upon a solid understanding of who is consuming these resources. Make sure that you are properly leveraging your API gateway and supporting management resources to ensure that you aren’t giving away intellectual property to vendors, competitors, and other bad faith actors who find your APIs via a public portal or reverse engineering your public web, mobile, and AI applications.
