Scribd
Upload
5 views

Www Apiopscycles Com API Audit Checklist

Uploaded by

saravanan lakshminarayanan
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
5 views

Www Apiopscycles Com API Audit Checklist

Uploaded by

saravanan lakshminarayanan
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Like this open method? Express your ❤ for the community - see how!

T HE ME T HOD RE S OURCE S PA R T N E R S ABOUT LE ARN

API AUDIT CHECKLIST


Use this checklist to audit your API prototype or a ready made API before publishing it to stakeholders, or, why not
before buying an API. Now available for REST and AsyncAPIs

Detailed guide related to APIOps Cycles phase:

API AUDIT

REST API CHECKLIST


PROTOTYPE API DESIGN API IS IN
IS READY IS READY MAINTAINABLE
WHEN... WHEN... IN
All items in the prototype checklist
are audited in addition to... PRODUCTION
WHEN...
The API is based on clear All items in the prototype and API design
business needs. checklists are audited in addition to...

API is designed for hiding raw Endpoint design contains


backend data and shared use maximum of two
for multiple API-consuming resources/sub-resources in
applications the endpoint path
API is published via API management
The API has a description that All endpoints and attributes
explains its business value and include examples. API is visible in a Developer portal
features.
POST is used for creating and API can only be accessed via the API
API has a consistent design updating data (instead of PUT management gateway
with our other APIs. unless full resource)
Rate limits are enforced when
API and data naming uses DELETE is used to remove a requesting API
good English (or other resource
API documentation is generated
standard language).
API versioning strategy has automatically based on the
Mandatory fields are specified. been decided and it is specification, schema and examples
supported by the API gateway
The specification is updated
Dates are in ISO standard date in use.
automatically to API gateway and
format including the timezone.
GET method doesn't have a documentation site / developer portal

All general data such as request body and returns when changes are done to API

country and language names, status 200 OK and some


Specification for endpoints is
geographical coordinates etc. content in response
validated on every change against
use standard values.
GET method returns status standards

Fields are described in full 204 when the response body is


The specification contains the schema
words avoiding acronyms. empty
for the requests and responses

When creating new resources, POST method returns 200 OK


Request and response schema and
an identifier is returned per when the resource is updated
examples pass schema validation
item.
POST method returns status
API uses HTTPS (or, in special cases,
201 Created and returns the
other stateless protocols with
encryption)
identifier of the created The API published under the
resource organization's official domain

DELETE method returns 204 All endpoints are protected by


OK when removing a resource authentication
was successful
API has token-based authentication
400 -responses have
API is protected against Cross Site
additional information on the
Request Forgery (CFRS)
specific error (for example,
missing required attribute)
Inputs are validated automatically by
the coding framework used
401 Unauthorized is used when
the API consumer is using the
Outputs are escaped automatically by
wrong credentials
the coding framework used

403 Forbidden is used when an


Encryption of data in transit and data
authorized API consumer tries
in storage is implemented according to
to use an operation they are
the evaluated need
not allowed to do.
Message integrity has been
implemented according to the
evaluated need

UUID or other pseudoidentifiers are


used to identify objects instead of
internal database identifiers

Direct object references to sensitive


information like bank account
numbers, social security numbers,
person names are not used in URLs

Specific HTTP Methods are only


available for resources where intended
(Whitelisting)

ASYNC API CHECKLIST


PROTOTYPE API DESIGN API IS IN
IS READY IS READY MAINTAINABLE
WHEN... WHEN... IN
All items in the prototype checklist
are audited in addition to... PRODUCTION
WHEN...
The API is based on clear All items in the prototype and API design
business needs. checklists are audited in addition to...

API is designed for hiding raw The message design contains

backend data and shared use a clear structure,


for multiple API-consuming differentiating between

applications events, commands, and


queries. API is managed via a proper AsyncAPI
The API has a description that management tool.
explains its business value and All messages and attributes

features. include examples. API is visible in a Developer portal

API has a consistent design Messages follow a consistent Rate limits are enforced when sending

with our other APIs. structure across all messages (if applicable).
topics/channels.
API and data naming uses API documentation is generated
good English (or other The message versioning automatically based on the AsyncAPI

standard language). strategy has been decided. specification, schema, and examples.
Mandatory fields are specified. Acknowledgments for received The specification is updated
messages are defined (if automatically to API management tools
Dates are in ISO standard date applicable). and documentation site/developer
format including the timezone. portal when changes are done to API.
Errors or issues with
All general data such as messages are clearly conveyed, Specification for topics/channels is
country and language names, with additional information on validated on every change against
geographical coordinates etc. the specific error. standards.
use standard values.
Authentication and The specification contains the schema
Fields are described in full authorization strategies are for the messages.
words avoiding acronyms. specified.
Message schema and examples pass
When publishing new schema validation.
messages, the relevant topics
Message transport ensures security
or channels are clearly
(e.g., MQTT over TLS or AMQP over
identified.
TLS).

The API is operated under the


organization's official domain (or
relevant broker or message service).

All topics/channels are protected by


authentication.

API has token-based authentication.

Encryption of data in transit and data


in storage is implemented according to
the evaluated need.

Message integrity has been


implemented according to the
evaluated need.

UUID or other pseudoidentifiers are


used to identify objects instead of
internal database identifiers.

Sensitive information is not exposed


in topics or channels.

Message integrity has been


implemented according to the
evaluated need

UUID or other pseudoidentifiers are


used to identify objects instead of
internal database identifiers

Sensitive information is not exposed


in topics or channels.

Whitelisting is used to specify which


clients can publish or subscribe to
certain topics/channels.

APIOPS
CYCLES Transform the way you design APIs with APIOps …
Copy link

METHOD FOR
LEAN API
Watch on
Watch on

DEVELOPMENT
Great APIs need skilled people and a good method, which let's
you create APIs as products - fast.
APIOps Cycles method is vendor & technology-neutral.

Read the free e-book "The 8 wastes of lean in API


development". Learn quick tips on how to remove the wastes
using the APIOps Cycles method.

Learn the method in 2 h GO TO METHOD

THE METHOD RESOURCES PARTNERS ABOUT BLOG

METHOD LIC ENSE C C - BY- SA 4.0


A PIOPS A ND A PIOPS C YC LES
TR A DEMA R K OWNED BY
OSA A NG O OY

You might also like