- GraphQL is a data query language for APIs
- It solves a common problem in RESTful APIs: the under- or over-downloading of data
- Caching is notably absent in the GraphQL specification
- Edge server parses GraphQL queries for lexical tokens inside the query: whitespace, line termination, comments, commas, and Unicode byte order mark (BOM)
- Canonicalization of each query filters out unimportant differences between requests, enabling the edge to compute a unique cache key
- Errors in response body can be detected and handled
- Addresses many common pain points with APIs; see them here
- Get an overview of GraphQL query parsing and caching at the edge here
Scalable access control
- Your APIs are only as scalable as your access control infrastructure. With key authentication and token authorization on the Akamai Intelligent Platform, you never have to worry about whether your infrastructure can meet peak demand.
- With access control on every edge server, API consumers do not need to wait for a round-trip call to origin for authentication and authorization.
- Key Management allows you to create key groups, define enforcement rules for specific resources, and set quotas.
- API Gateway’s administrative APIs enable you to automate the process of onboarding new partners, managing their access, and configuring other gateway functionality.
- API Gateway helps you ensure uniform access control architecture as your APIs grow and proliferate, eliminating potential security gaps.
- Keep focused on writing code rather than building common functionality, such as authorization, for each API.
- API Gateway supports JSON Web Tokens (JWTs) as credentials.
- Note: These tokens cannot be used for quota enforcement.
- The Key and Quota API documentation may be found here.
User quota enforcement
- Govern consumption of your API resources with quota management that defines the number of requests that a user, organization, or application can make per time period (e.g., per hour, per day).
- Note: Quota enforcement for time periods less than an hour is not available at this time.
- Quotas can be defined for each API key, giving you granular control over the way your customers are allowed to access your data.
- Note: Quotas are defined on a per-key basis, and are not designed to rate-limit total requests.
- Easily create tiers of access with different access SLAs which are enforced globally.
- User quota is not rate limiting. Rate limiting is used to protect infrastructure from instantaneous bursts of traffic, whereas user quota enforces API business SLAs.
- User quota API documentation can be found here.
- Read our blog post about Demystifying Rate Limiting.
- Streamline the process of getting your APIs onto Akamai's intelligent edge platform by simply importing your API definition language file (OpenAPI 3.0 and RAML 0.8).
- Once your APIs are on the platform, they gain the additional security, caching, and performance benefits of the Akamai platform.
- Our rich set of administrative APIs ensures you can configure and control API Gateway functions from within CI/CD pipelines.
- With independent control over caching and delivery rules for each API, you are empowered to optimize routing and offload for your endpoints.
- Akamai API Gateway decouples infrastructure settings from API governance features. This lowers risk and ensures that infrastructure changes do not impact API changes.
- API Gateway gives you access to API traffic with the real-time reporting dashboard. Operational data about API traffic is delivered in real time, allowing you to quickly discover and mitigate operational errors.
- Every set of changes made to your API Gateway configuration is versioned, enabling you to see when and what was done as developers move in and out of a project. You can identify changes between configuration versions with the diff feature.
- Leverage the global scale of Akamai's intelligent edge platform to reduce latency for your API consumers worldwide.
- Protect your APIs from malicious actors by complementing API Gateway with Akamai Kona Site Defender.
- Implement positive security to enforce application protection, such as ensuring that a query string parameter is within a certain integer range.
- Leverage DDoS protection to ensure your API infrastructure is not overloaded by a volumetric attack. Note: This functionality operates by evaluating the IP address of an adversary—not a token or key.
- Configure Kona's WAF rules to protect against common threat vectors such as command or SQL injection sent in a header, query string, or POST body.
- Configure Akamai SureRoute to route your API traffic around Internet congestion points.
- Ensure your cacheable API responses are located close to your API consumers to reduce latency by leveraging the rich set of caching controls from Akamai.
- Download raw log data for ingestion into ElasticSearch or Splunk via Cloud Monitor.
- Learn how to leverage caching to eliminate rate limiting requirements in our blog post here.
- Learn the key differences between API security with Kona vs. API control with API Gateway in our blog post here.