API Gateway Requirements Template, Checklist and Gathering Document
This requirements table for API gateway products clearly outlines the key features and functionalities considered when evaluating vendors. We include security protocols supported, the ability to handle high traffic loads and scale automatically, support for multiple languages and frameworks, and customizable request and response handling. Other important considerations may include the level of technical support offered, the availability of detailed documentation and developer resources, and pricing and licensing options.
API Gateway Requirements Table
Must have API authentication
Must have the capability to authenticate and authorize users before allowing access to the API.
Basic Authentication, Digest Access Authentication, Token-based Authentication
Must have good policy management
Must have the ability to create and enforce policies that dictate how the API can be accessed and used.
Policy Tagging, Policy Bundling, Policy Versioning, Policy Deployment, Policy Design, Policy Enforcement
Must protect against attacks
Must have built-in security features to protect against common web application attacks such as SQL injection, cross-site scripting, and denial of service attacks.
IP Whitelisting/Blacklisting, Malware Detection, Malicious Scripting, System Overload
Must provide protocol conversion
Must be able to convert between different protocols, such as HTTP to HTTPS, to ensure compatibility with different systems.
SOAP to JSON Conversion, JSON to SOAP Conversion, JSON to XML Conversion, XML to JSON Conversion
Must have traffic management
Must have the ability to manage and control incoming traffic to the API, including rate limiting and traffic shaping.
Traffic Prioritization, Quota Management, Caching, Throttling, Rate Limiting
Must support the API lifecycle
Must provide support for the entire API lifecycle, from creation and testing to deployment and management.
API Composition, API Virtualization, API Versioning, API Request Auditability
Must have identity management
Must have the ability to manage identities and access control for the API.
Identity Management, Okta, Authorization Services, SAML Support
Must provide access control
Must have the ability to control access to the API, including authentication and authorization.
Platform Access Levels, Platform Access Revocation, Anonymous Platform Access, Fine-grained Access
Must support bulk data transfers
Must be able to handle large scale batch-based or file-based data transfers.
File-driven Message Interaction Mode, Bulk/batch Interaction Mode
Must have data centers in different geographies
Must have data centers located in multiple geographic regions to provide low latency and high availability.
North America Region, South America Region, EU Region, Asia-Pacific Region
Must have a pricing model that is fair, transparent, easy to understand, and fits the use case.
Low Cost Pricing Per API Call, Low Cost Pricing for Low API Call Volume, Low Cost Pricing for API Gateways, Low Cost Pricing for High Egress
Must have the ability to manage and secure keys used for encryption and authentication.
Key Management, Public Key Infrastructure (PKI), Single Sign-on (SSO)
Must provide message-level security
Must have the capability to secure messages at the transport and application layer to protect against eavesdropping and tampering.
Message Injection, Malformed Message, Message Depth Limit
