* throttling
* rate limiting
* authentication and authorization
* API usage analytics
To put it another way, for Google the answer to the tooling question is form an inhouse team, include one of the fellows who wrote C to develop a performant garbage collected language, and then throw some of those quarter million dollar a year plus engineers at writing whatever tools you want. At the other end, some entrepreneurial idea person tells the contract PHP programmer to make it happen next week. In the middle is someone who hires a consultant and another person who combines Legos on AWS themselves.
Which is a round-about way of getting to the critical idea: the good solutions for your company must fall into a very narrow range of technical and business criteria.
Good luck.
It concerns a large multinational in the transport sector. While we have built up a strong digital department, there's a lot of catching up to do, so the more 'batteries included' any given solution has the better.
On the other hand, it's crucial that we can extend any given tool as there will undoubtedly be unforeseen or non-default scenarios. For example: we'd love to perform some analytics on not just what customers are calling the APIs, but perform more detailed queries based on e.q. request parameters, geoIP, or perhaps even User Agent headers. It is absultely no problem to have to do this ourselves by performing raw queries on the database, and perhaps built our own dashboard around it, but again; if there's something that already covers a lot of these cases that'd be ideal.
The minimum required functionality is that the tool can operate as an authenticating proxy, only passing on requests when the e.g. OAuth2 headers are verified. Other security aspects, such as throttling and rate limiting are a requirement as we're dealing with systems that must be protected from unforeseen load.
Nice to haves are features such as autogenerated documentation pages, where clients can test the APIs from within their browser. On the other hand: rolling this ourselves using Swagger wouldn't be a problem either.
Research so far has included looking at some open source tools, e.g. Kong[1] from Mashable, apigee[2], reading up on Gartner's magic quadrant re. API management, and demos from IBM and CA. Costs of these vendor tools aren't a major concern, lack of modifiability absolutely is. I'm currently leaning towards Kong, but am wondering if others have interesting experiences to share.
[1]: https://getkong.org/ [2]: https://apigee.com/ [3]: https://www.gartner.com/doc/reprints?id=1-2DC669J&ct=150409&...
You might want to check out http://apiaxle.com/. The folks at https://mapzen.com/blog/apiaxle/ seem happy. Near the end of the blog post they point to https://aws.amazon.com/api-gateway/ as well.
[0] : https://keen.io/