API-first businesses are creating their own ecosystem and exciting new companies are emerging as the picks and shovels.
APIs (application programming interfaces) are the connective tissue between applications, software servers, and data. APIs enable different pieces of software to communicate with each other, allowing developers to add new capabilities to their applications without having to build the functionality from scratch. For instance, WorkOS offers an API that enables developers to add single sign-on to their product using only a few lines of code, allowing them to sign on enterprise customers who require that functionality. Grace Isford put it well when she said that API companies “give their users “superpowers.”¹ Close to magic, a developer can bring together services in hours or days that would otherwise take weeks to build.
At Georgian, our R&D team built an API to give our users superpowers. We use a Fetch API, which we refer to as Fetch, to tap into our data platform of market and company trends. Fetch makes the more rote work associated with sourcing, due diligence, and M&A planning (like gathering company and market data) easier so we can focus on high-value tasks.
APIs have been around for decades, but have become increasingly relevant over the last few years. In the early 2000s, Roy Fielding wrote his dissertation on the REST API framework, and Salesforce, eBay, and Amazon launched commercial API products shortly after to extend the reach of their platforms to third-party developers. Since then, several waves of technology have relied on the use of APIs, from the advent of consumer social platforms, to mobile devices, to connected devices (Postman outlines a helpful summary of the history of APIs and their growth in popularity here). Fast forward to the present day, API traffic accounts for 83% of all web traffic.² APIs have also since created incredible businesses. Stripe and Twilio are famous examples of API-first businesses that have emerged in the past decade, taking the complex worlds of payments and telecommunications and making them accessible through an elegant, intuitive endpoint.
The innovation that APIs have unlocked cannot be understated: by providing critical building blocks, developers and product teams can focus on their core competencies, like building our favourite ride-hailing apps with Google Maps’ API or eCommerce stores using Stripe’s payment infrastructure.
Given the attractiveness of the API business model, it is no surprise that the number of start-ups that deliver their service via an API has exploded. Skyflow for example, allows companies to store sensitive information in a zero-trust vault that is accessible via an API, fulfilling the need for greater data privacy in the wake of heightened consumer awareness of technology’s privacy implications and recent regulations like GDPR and CCPA. Finxact, a banking core as a service company, relies on its open banking API to allow banks to seamlessly deliver third-party banking services to their customers, disrupting legacy core banking systems and paving the way for banks to build delightful digital experiences.
Broadly speaking, we see three categories of API economy companies emerging: horizontal solutions (APIs that can be utilized at any company, regardless of vertical), vertical solutions (APIs designed to solve vertical challenges, i.e. ERP APIs for healthcare providers to securely transmit patient data), and API enablers (the infrastructure that enables the API economy to thrive, from development to security and monitoring). The map below gives some examples of interesting API-first businesses, but is not intended to be comprehensive.
Now that we understand the importance of the API economy, what are the key characteristics that these companies will need to exhibit to make them successful? Using Plaid as an example (which Visa announced plans to acquire for $5.3b in January 2020 before regulatory fall out), we can observe several winning characteristics of an API-first business:
- They simplify a complex problem that is critical to their users’ business: strong API-first companies “abstract away the messy, the repetitive, and the complicated ”.³ WorkOS helps developers with a critical problem (the ability to sign enterprise contracts by having single sign-on functionality) through offering infrastructure that is otherwise time-consuming and costly to build. Plaid’s founders initially set out to build a tool for consumers to manage their finances when they realized the archaic process of connecting to users’ bank accounts. Building connectors to bank accounts was technically difficult due to the number of banks globally (Plaid currently integrates with more than 10,000 financial institutions), as well as the fragmented nature of data available from each bank. Connecting to transaction data easily and quickly for consumer fintech was critical for the utility of their applications, but was technically difficult without the use of Plaid.
- They enable an industry transformation or a change in developer needs: Plaid was founded in 2013 and catalyzed a generation of neobanks and consumer fintech platforms (Acorns, Betterment, Chime, Transferwise, and Venmo, to name a few), who benefited from easy access to bank transaction data. Stripe, similarly, emerged at a time of rapid eCommerce growth. Stripe enabled a new generation of merchants to access payments infrastructure so that they could focus on their core competency, running their stores.
- They provide strong documentation and support: API documentation is a piece of content that gives users instructions on how to effectively integrate and use an API. Great documentation is crucial to providing an outstanding developer experience, and will help get them to the “aha” moment as quickly as possible. This will also reduce the time it takes to onboard new users and will save a support team’s time downstream. Zapier outlines 8 examples of effective API docs here and explains in detail what makes them great. Plaid has a history of listening intently to their developer community when creating their documentation focuses on maintainability, scalability, discoverability, and comprehensiveness.
As the API economy continues to flourish and produce exceptional companies, the enablers will play a critical role in the future success of the ecosystem and the companies within it.
API Economy Enablers
The explosion of the API economy has launched a wave of companies who are selling the “picks and shovels’’ for the API gold rush. The emerging categories include API management platforms, which help developers create, publish, monitor, and document their APIs; API marketplaces, which gives API providers the ability to publish APIs so developers can discover them; and API security platforms, which enable enterprises to deploy internal and third-party APIs while managing the associated security risks. These enablers help give developers and users the critical infrastructure to effectively build, manage, and secure their APIs, which I will discuss below.
API management systems allow developers to simplify the process of creating and maintaining an API service. They play a crucial role in the success of the entire ecosystem, and their popularity has reflected that. Postman, an example of an API management provider, raised $150 million in new funding in June, bringing its valuation to $2 billion. Kong, a company that allows users to manage, scale, and monitor APIs and microservices, recently raised their Series D round tripling their valuation to $1.4 billion from March 2019. There has been active M&A activity in this category, with Salesforce acquiring Mulesoft in 2019, and Google acquiring Apigee in 2016. API marketplaces have become active curators of best practices, resources, and workspaces for developers, providing the support and glue for the API economy to flourish.
RapidAPI, the world’s largest API marketplace, had 20,000 APIs as of May, doubling in the last year, with 1000 APIs being added to each month.⁴ Marketplaces empower API providers to increase the visibility of their APIs, and the ability to monetize them by connecting them with developers.
As the number and popularity of API-based business models proliferate, one critical factor of their success that will come to the forefront will be ensuring their security and privacy. In 2017, Gartner analysts predicted that by 2022, API abuses would be the most-frequent attack vector for enterprises.⁵ Since that report was published, there have been several API-related cyberattacks, including an incident at USPS that potentially exposed data on 60 million customers.⁶ We can liken the explosion in the number and usage of APIs, and thus their importance as an attack vector, to the proliferation of connected devices and the increased awareness of IoT cybersecurity at the enterprise level.⁷
The increase in the number of breaches has set into motion start-ups like Salt Security and Noname Security. These companies protect the APIs in an enterprise’s environment by using machine learning to identify anomalies in API behavior data. We see these players as playing an important role in the API economy, by fostering trust with developers who deploy API into their applications, and with users who choose to deploy APIs at their organization.
Frameworks are also emerging that help address some of the common security pitfalls associated with APIs. Salt Security’s Head of Research, Inon Shkedy, collaborated with OWASP to create an API Security Top 10, which recognizes “the crucial role that APIs play in application architecture today and therefore also in application security.”⁸
APIs also present significant data privacy risks, due to the inconsistency and opaqueness of API usage terms. The Cambridge Analytica scandal of 2018 was caused by a Facebook API that gave developers access to not only consenting user’s data, but their Facebook friends’ data, including their birthdays, interests, former employers, and the like. We predict that a critical success factor for API-first or API-driven companies in the future will be designing appropriate access level management and working closely with API management systems to monitor and track API activity. The API Evangelist Kis Lane suggests that API companies should practice active scanning, granular security policies, and continual monitoring to avoid API misuse and related fallout.⁹
As the API economy flourishes, the trust infrastructure that ensures its long term success will continue to evolve and mature. Trust is one of our core thesis areas at Georgian, and we are excited to see how API-first companies build trust with developers and consumers through their security and trust strategy.
If you’re building an API first business or would like to chat about this topic, please reach out! You can write me at firstname.lastname@example.org or find me on Twitter @oliviatrain_.
This blog was originally published on medium.
Grace Isford’s API-First Directory is a comprehensive database of API-First startups, which you can find here:
Justin Gage’s “What’s an API?” is a helpful guide to understanding APIs: https://technically.substack.com/p/whats-an-api
9 Components of Great Developer and API Documentation from WorkOS: https://workos.com/blog/great-documentation-examples
Kin Lane’s blog, API Evangelist, covers almost all topics related to APIs and is an invaluable resource: