API gateway evaluation checklist

API gateway checklist

API Gateway pattern

Microservice architecture adoption in enterprise technology stacks is growing every year.

Client applications interacting with many micro services have challenges while maintaining all these integrations.

API gateway architecture pattern allows client applications to only use single contract / interface.

All the necessary orchestration / transformation is performed in API gateway layer.

During recent years, many API gateway products appeared in the horizon.

Provided by some the most experienced players in enterprise technology space.

Evaluation checklist

As API gateway pattern adoption grows, many organisations choose to buy the enterprise software instead of building and maintaining it in house.

I have created the below checklist to help while evaluating API gateway product for your organisation.

Its based on the experience while assisting with API gateway product selection for several our clients.

This checklist covers most common questions and pointers which have to be assessed before making final decision.

API gateway evaluation checklist.

Business Cost

  • Initial Cost.
    • Initial cost to setup and start using the product.
    • For on-premise products this is usually the license cost.
    • Cloud based API gateway products mostly are offering monthly / annual payment options. They might still charge setup fee.
  • Cost over time.
    • Medium to long term cost of running the API gateway product.
    • Usually its an annual cost for cloud based products
    • Infrastructure costs for on-premise installations.
  • Maintainability.
    • Effort requirements for maintaining API gateway product.
    • Low cost for cloud based products.
    • On premise based installations require dedicated team / resources with cost allocations.
  • Portability. Vendor Lock-in.
    • How easy it is to switch the vendors if required.
    • Process, complexity and cost.
  • Documentation and Training.
    • Availability of active developer community around the product.
    • Availability of talent pool with skill-set for hiring.
    • Quality of documentation and workshops / training courses.

Technical Capabilities

  • Operating model.
    • Is API gateway product provided as SaaS.
    • Does it support on-premise and in house deployments?
    • Which operating model is most suitable for purchasing organization.
  • Secure connectivity between API gateway and the backend systems.
    • What security mechanisms are available within the API gateway product to protect the underlying backend services?
    • Examples include: Mutual Authentication, VPN connectivity, etc.
    • Its very important requirement, specially for SaaS product candidates.
  • Scalability.
    • How scalable is the product? Will it scale with number of API requests increasing?
    • Can vendor company provide performance test example results?
  • API Security.
    • Support for the use of client side certificates.
    • Does API gateway support OAuth 2.0 and OAuth 1.0 authorization flows?
    • Can it securely store the authorisation tokens?
    • Does it allow to revoke auth tokens? or or the group of auth tokens related to specific user?
    • Support for rate limiting per authorised application?
    • Support for JWT
  •  Orchestration and Transformation
    • Support for orchestrating multiple backend system callouts during single API request.
    • Support for transforming and mediating API request or response payloads and metadata.
    • Support for conversions between payload formats like JSON, XML
  • Caching
    • Does API gateway support API response caching?
    • How configurable is caching strategy?
  • Quotas
    • Support for different API quotas for different authorised applications.
  • Logging / Analytics.
    • Does API gateway provide UI interface for tracing transactions?
    • What are analytics capabilities?
    • Support for reporting and report building.
    • How long analytics data is retained?
    • Support for logging analytics data to external storage or processing systems
  • API documentation
    • Support for publishing API documentation in industry standard formats? OpenAPI, RAML
  • Management APIs.
    • Does it provide management APIs?
    • Management APIs are mostly used to automate API development life cycles.
    • What is proposed continuous integration strategy by API gateway vendor?
  • Prebuilt integrations.
    • Dow API gateway offer prebuilt integrations with common 3rd party systems?
    • For example – prebuilt integrations with business applications like Salesforce, Identity providers and others.


Did you like this post?
Subscribe to our API first monthly newsletter!

No Responses

Post Your Comment

Your email address will not be published.