There’s nothing more frustrating than coming up against an API that won’t cooperate, no matter how hard or long you try!
More than a third of analysts, in a new Tines survey, indicated that API-first is the single most important feature and capability they would look for when evaluating a new SOAR tool. This is unsurprising given one of the biggest trends in cybersecurity is a move away from all-in-one platforms in favor of unbundled, best-of-breed solutions that enable faster, more seamless digital experiences.
APIs allow multiple tools to interact and communicate with one another. They help companies scale at immense rates by enabling teams to build bridges between systems to share data and services. For those not technical among us, APIs can seem complex and daunting, but with no-code and low-code tools, APIs enable us to simplify what would otherwise be a difficult task in a product's UI into a simple one or two-step process. Together, APIs and no-code tools make it easier for anyone in any field to take advantage of a product's power and agility.
In this blog, we outline what makes an API great and why others are so temperamental.
The best APIs
Some people might assume that the biggest software companies in the world have the most intelligent APIs or that the earliest adopters continue to set the gold standard. Neither of these statements is universally true. Keeping your API in good shape is an essential part of any organization's success, but newer API protocols and rapidly changing landscapes mean the need for maintenance sometimes goes beyond simple tweaks and fixes. And, machine-generated APIs from the same "template" are generally awful to do real-world work with.
Numerous clickbaity listicles claim to provide a round-up of the best APIs, but many are hard to decipher and engage when you try to use them. This is an incredibly frustrating experience whether you're a developer or a no-coder. If you're experienced, you might decide to review the documentation to understand the terrible design. If you're a newbie, you might give up on the task at hand entirely, and that's a big problem.
The best APIs enable organizations to incorporate other features into their products, collect big data without drowning in it, and leverage technology like no-code automation, making them more effective and efficient. If you're hoping we'll drop some names, then Stripe, Twilio, and MongoDB are just some of the companies that have set a high bar.
At Tines, we have a REST API that allows users to seamlessly connect other tools and build automation Stories on our platform. Typically it doesn't require much ongoing maintenance, but in 2021 we did a substantial amount of work on it to support some of our newer features. You can read more about that update here.
Where some APIs go wrong
The biggest issues regarding APIs typically relate to documentation, standardization, accessibility, robustness, and flexibility.
Publicly available API docs breed confidence. Moreover, clear and consistent documentation is central to having a user-friendly API. Including cURL examples for all API calls that can be pasted and run directly will make every user’s life easier. Best in breed are OpenAPI/Swagger docs or Postman collections with details on all the API calls available. Tines has developed Postman docs for tools like VirusTotal. An API with a Python SDK doesn’t reveal the underlying calls and causes friction for anyone trying to build an integration with anything other than Python.
There are tonnes of API implementations that rely on non-standard mechanisms, making them unintuitive. Some examples include odd HTTP response codes (200 for a fail), all calls as “posts,” or fetching a cookie instead of using OAuth credentials. The best APIs will have get, put, patch, post, and delete operations, use the 429 response status code for rate limitation, and have a standard, documented authentication process with a timeout named.
Security is a big concern with publicly available APIs. With open access, you have less control over who can access your data and what they do with it, which is why many companies, including Tines, restrict access to certain features. But, we should all be striving for better alignment between our UIs and APIs. Another issue is that authentication on many APIs is torture, but solutions tend to be overly complicated when a simple API key would suffice in many cases. Companies that restrict access to their private and internal APIs through authentication and authorization mechanisms also need to communicate any issues around the governance and usage of them internally.
Ideally, APIs are intuitive, efficient, and only need to be updated occasionally, as even the slightest tweak can cause problems for users and break integrations. Once again, good communication is key. It’s important to disclose any changes and keep old versions available for as long as needed.
We’re obsessed with flexibility here at Tines, not just when it comes to our own platform. Not every user will want to use an API in the same way, so input and output constraints that allow for some flexibility are essential.
A modular tech stack is a must-have for any company looking to stay competitive and offers many distinct advantages, and robust APIs are essential to facilitating and accelerating digital transformation. This is especially evident in cybersecurity.
Without a great API, your SOAR or automation tool will have trouble integrating with other tools and systems. Our advice is to always look for an HTTP-based interoperability standard when considering software from vendors or scoping internal tools - this way they can be controlled efficiently without requiring human intervention in situations where it isn't necessary!