Menu
Quickly here's my scenario: I'm in the early stages of planning/implementing an API for my start-up. Said API is fundamental to our strategy and all that. Yay!
I'm looking to use Apigee (or similar) to handle all the dirty details (security, throttling, ect..) so I don't need to implement all this myself.
What I can't quite find is a recommended list of things my back-end API server should do (and more importantly, shouldn't have to do) using this strategy.
A few more technical details: I'm planning to use Nginx/FastCGI/Qt/C++ on my back-end, perhaps not relevant. Calls to this back-end will be exclusively through proxy (Apigee). I'll have my own client web-site and internal apps using the API as dogfood.
What I'm looking for is a best practices guide on implementing my side of the API when using something like Apigee as a fundamental component of the overall strategy. I don't want to reinvent any wheels (or shoot myself in the foot)!
Is this even the right approach at all ?
Thank-you all !!
495
asked Dec 02 '25 08:12
Where to put functionality in the flow is usually contextual but there are a few easy things to put in every proxy:
1) Key Management: Using Apigee to manage your API keys and mint your access tokens gives you a couple things; first line of defense for unauthorized apps and automatic analytics about what the developer is doing (getting a high error rate from one app? reach out to them and help them solve their problem proactively).
2) Basic Security Policies: Once you know the App is allowed to access your API there are some simple security policies that should be run on the Apigee layer. Payload enforcement (JSON and XML threat protection, regular expressions to block things like SQL injection or other invasive code). You can also set quotas based on the API Key (different developers getting different levels of access based on the products you associate with their keys). You also want to set spike arrests to keep your API traffic from overwhelming your target server.
3) Response Management: Make sure you strip out unnecessary response headers (cookies, server versions, etc) that aren't relevant to the API Contract. No need to tell your app developers about your target architecture, but it's sometimes hard to suppress those headers from application servers. You may also want rules to block unexpected responses from the target server (500 errors that may contain stack traces for example).
4) Caching: The ability to cache responses in Apigee drives a lot of the rest of "where to do it" questions. But being able to return a Cached response from Apigee can decrease your latency by hundreds of milliseconds improving your transactions per second and your developer/consumer satisfaction. The question now becomes how fine-grained you can get your cached response without having to go to the target server.
Beyond that it becomes "Where is it easiest and most efficient to do a task?" Things like JSON to XML, for example, are easy in Apigee, but they're easy in other platforms that may be running on your backend server, too.
135
answered Dec 07 '25 11:12
Good question - disclosure I work for 3scale (http://www.3scale.net) and we compete with Apigee. I'll try to answer the question in a neutral way though.
At it's core an API Proxy should take care of throttling, analytics logging, key enforcement, some of the security and potentially load balancing across backend nodes. So you shouldn't need any of those in the backend. So you should be fine just delivering the API in raw form there, however you'll still need to:
Having said all this - I'd encourage you to check out 3scale - we provide equivalent services to Apigee including the API gateway. It's not only more cost effective (see the site about) but our solution is also based on NGINX which you already have in your stack - you can either add another or add into your existing config.
Hope that helps and happy to give more info if useful.
41
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
