API Architecture & ManagementMS-03 · theory

Source · De Laurentiis et al., Mastering API Architecture (O'Reilly); Medjaoui et al., Continuous API Management (O'Reilly)

Why this matters

De Laurentiis et al., Mastering API Architecture, Ch. 1-2

Microservices are only as usable as the APIs through which they collaborate and are consumed. A poorly designed API leaks internal structure, breaks clients on every change, and forces every consumer to solve the same cross-cutting concerns. Good API architecture is what lets many teams and external partners build on your services safely and lets you evolve those services without a flag day.

Managing APIs is not just designing an endpoint; it is a lifecycle - design, publish, secure, version, monitor, deprecate, retire - governed so that hundreds of APIs across an organization remain consistent and discoverable. Understanding this turns 'we have some REST endpoints' into a durable platform.

The concept

Fowler/Richardson maturity model; Mastering API Architecture Ch. 3-4; Medjaoui et al., Continuous API Management, Ch. 2-3

Several ideas anchor API architecture.

REST maturity (the Richardson model) describes levels: level 0 uses HTTP as a tunnel for a single endpoint; level 1 introduces resources; level 2 uses HTTP verbs and status codes correctly; level 3 adds hypermedia controls (HATEOAS) so responses advertise available transitions. Most practical APIs target level 2.

An API gateway is a single entry point that fronts your services and handles cross-cutting concerns - routing, authentication, rate limiting, TLS termination - so individual services do not each reimplement them.

The Backend for Frontend (BFF) pattern puts a dedicated gateway-like layer per client type (web, mobile), tailoring and aggregating responses so a mobile app is not forced to consume a generic, chatty API.

Versioning and contracts protect consumers: you version APIs (URI, header, or media-type based) so changes do not break existing clients, and you use explicit contracts (OpenAPI specs, consumer-driven contract tests) to verify that a change will not break known consumers before you deploy. Governance across the lifecycle keeps naming, security, and versioning consistent as the API estate grows.

Worked scenario

Newman, Building Microservices 2e, Ch. 5 (BFF); Mastering API Architecture, Ch. 4 (Gateways)

A company exposes a single generic 'Orders' API. The web SPA and the mobile app both call it. The mobile app must make five calls to render one screen and then discard 80% of each payload over a slow connection.

Introducing a mobile BFF fixes this: the BFF makes those five internal calls server-side, aggregates and trims the data to exactly what the mobile screen needs, and returns one compact response. The web BFF, meanwhile, returns richer data suited to the desktop UI. Both sit behind an API gateway that handles auth and rate limiting once. When the Orders service later adds a field, the BFFs absorb the change; clients are shielded. And because the Orders API is versioned and covered by consumer-driven contract tests, the team knows before deploying whether a change would break either BFF. This is API architecture doing its job: shielding clients, centralizing cross-cutting concerns, and enabling safe evolution.

How it connects

Medjaoui et al., Continuous API Management, Ch. 6-7 (Governance, lifecycle)

API architecture is the outward face of the fundamentals: the stable interface that makes information hiding and independent deployability real. Versioning and contract testing are what let a service deploy independently without breaking consumers - the practical enforcement of loose coupling.

Gateways and BFFs also mediate between synchronous consumer-facing APIs and the internal event-driven world: a client hits a REST endpoint, which the system may satisfy from a read model built by events. And when you decompose a monolith, the gateway is often where the strangler fig routes traffic, sending some paths to the old system and others to new services. API governance, finally, is the organizational counterpart to the technical patterns, keeping a growing estate coherent.

Common traps
  • Equating 'has HTTP endpoints' with REST maturity level 3. Most APIs are level 2 (correct verbs and status codes); hypermedia/HATEOAS is level 3 and comparatively rare.
  • Building one generic API for every client. Without a BFF, mobile clients over-fetch and make excessive round trips; the BFF tailors and aggregates per client type.
  • Skipping contracts and relying on manual coordination for changes. Without versioning and consumer-driven contract tests, an independent deploy can silently break consumers.
Key takeaways
  • The Richardson maturity model grades REST from tunneling (0) through resources and proper verbs (1-2) to hypermedia (3); level 2 is the common target.
  • Gateways centralize cross-cutting concerns; BFFs tailor and aggregate responses per client type to avoid over-fetching and chatty calls.
  • Versioning plus explicit contracts (OpenAPI, consumer-driven contract tests) is what makes independent deployment safe; governance keeps a large API estate consistent.