What Are the Best DevOps Practices for Enterprise API Builders?

Continuous Integration and Deployment (CI/CD) speeds up bug fixes and shortens time to production by preventing human error and streamlining testing. Not surprisingly, CI/CD is growing in popularity as a software workflow. Teams practicing DevOps want more insight into every part of their application, which usually involves one or more internal APIs.

Often, the team that built the API is not the one consuming it. You may have different requirements than the API development team expects, and therefore, it is important to test a third-party API with your specific endpoints.

The days of teams devoting weeks to QA are mostly behind us. If an enterprise wants to move quickly, it will deploy frequently. When building APIs, you typically push them to production separate from the application that consumes it. That calls for extra attention and process in order to ensure your APIs work as expected.

In this post, we'll cover four important DevOps practices:

  1. Build a Solid Foundation for API Security
  2. Execute tests against your API
  3. Automate your API tests
  4. Monitor your API

DevOps is not just a technical process, but also an approach to help your team build better software. Using a tool like Postman, you can ensure each of these practices is easily communicated to the rest of your team.

Build a Solid Foundation for API Security

API security is a necessity. You need to trust that anything included in your DevOps process can only be accessed by those with permissions. When you rely on API-specific credentials, you'll have more flexibility to securely access the API from multiple environments. This versatility is vital to implementing external DevOps tools, as well as for preparing your API for a diverse set of use cases.

Some approaches to API security look to protect only the environment where the API is called. If you have access to an API's server—behind a firewall, for example—you then have full access to the API.

The downside with this avenue is that anyone who wants to call your API must be on your premises in order to avoid being blocked by your firewall. In modern, cloud-powered software, that sort of restriction is too brittle to use all the advantages of a DevOps workflow.

Your APIs should be publicly-accessible and include security considerations that ensure only trusted clients can make successful calls. You can choose an industry standard authorization type, such as OAuth 2. This way, API consumers can produce secure tokens to ensure they are able to access each API.

With this approach, you'll be able to extend access to the services that are part of your DevOps workflow. Additionally, you'll be able to ensure any of your websites, mobile apps, or other departments can securely and easily call your API.

Execute Tests Against Your API

Once an API is created or changed, it's integral to the health of any system using the API that it is thoroughly tested. API testing tools make it easy to build and execute tests that measure response time, find bugs, and test responses.

With a publicly-accessible, secured API, you can now write tests that make it easy for you and your API consumers to rely on your API. You want to know the requests you send to your API bring back the expected responses in both development and production.

If you want to avoid a costly build-out, the easiest way to find a testing solution is to find an API development environment with flexible testing capabilities.

For example, Postman lets you organize calls to your API in collections, run them in succession, and write scripts to verify the results.

Look at status codes (such as checking for a 200 above), or for specific data within the response.

Look at status codes (such as checking for a 200 above), or for specific data within the response. Securely store your tokens in environments that can be paired with collections and any version of your API when you run a series of tests.

Newman, Postman's command line tool, is built on Node.js and compatible with Jenkins, Travis, and Docker. Newman has a slew of built-in options that assist your testing environment. You can start by simply tracking exit status codes. Newman's continuous integration tools respond to these exit codes and correspondingly pass or fail a build.

The results of all tests and requests can be exported into a file and later imported into Postman for further analysis. In order to have an efficient and effective workflow, your DevOps processes should run automatically.

Automate Your API Tests

API testing automation makes it easy to continuously test APIs during development in order to find and fix bugs early on, before production. Once you have created your tests (unit tests, functional tests, integration tests, end-to-end tests, regression tests, mock tests, etc.), you can hand off your work to an automated process. Automated API tests will run continuously, triggering any errors so you can fix them quickly.

You can aggregate the tests and requests you've created into a single automated test sequence.

You can aggregate the tests and requests you've created into a single automated test sequence. The Postman Collection Runner allows you to create and automate tests that mirror use cases for your actual API (you can also run tests via Newman and tools like Jenkins or Travis CI. You can pass data between API requests and build entire integration test suites, iterate the number of times a collection is run, set or adjust the delay between requests to test for server failure, or even use your data files for a collection run.

Security often revolves around human-proofing. The automation processes in the collection runner are a fail-safe in that they allow you to create test environments with persistent variables so that you can get repeatable results multiple times and in multiple places. It can also check your API's variable scope and highlight the variables in your environment if they are unresolved.

When an automated collection is run, you can set Postman to keep the original variables in your API data, update them to the current values, auto-persist, update the original values or tell the collection runner to stop at each of these points so you can revert to the original API data you need.

Monitor Your API and Log and Track Errors

Testing your APIs shouldn't stop at deploys. Even once you're confident in your development and production tests, things can change. Modern software systems are complex. Tokens may expire or be revoked (intentionally or accidentally), and other services you depend on may become unavailable. The only way to be certain your APIs are running as expected is to consistently monitor them.

You should be able to use the same tests you've previously created to run on the production environment. Postman monitors allow you to set intervals for your tests, so your tests can run as frequently as every five minutes.

Postman's monitoring dashboard allows you to get the big picture of every monitor you or your team runs on your API.

Postman's monitoring dashboard allows you to get the big picture of every monitor you or your team runs on your API. You can see the status, success rate, and average response time for each one. You can also drill down as far into any one particular monitor to see past runs, failed tests for those runs, and total response times of all requests.

Again, to keep your work as tidy and simple as possible, your monitors are synced with your automated collections so that errors are logged and tracked to help you diagnose failures and fix issues quickly.

Including monitors as part of your DevOps process ensures your peace of mind once your API changes have been deployed. If your API health degrades, you'll know right away.

Build Your APIs With These DevOps Practices

These DevOps practices can make the difference between system failure and success. Creating an effective DevOps workflow means building a solid foundation for API security and executing the proper tests against your API as often as necessary or by way of scheduled runs.

In this article, we covered how you can create APIs that can be securely accessed with proper credentials so you can include robust testing in your CI/CD workflow. You can write tests to ensure the API behaves as you expect in a staged environment, then run the same sequence in production. Finally, you can monitor API calls frequently to make sure your API continues to work as expected.

If you want to explore Postman in more depth to see how you can create great automated tests, check out our automated testing page for more information and in-depth [resources on API test automation. For more information on Postman and our newest API features, check out our docs to see how you can create great APIs, link the API elements (tests, monitors, and variables) that can help you create a powerful DevOps workflow with ease.

Be sure to read the next Best Practices article: The Venmo API is Still Making Millions of User Transactions Available to the Public

 

Comments (0)