Developing ecosystem-ready APIs and applications

Developing ecosystem-ready APIs and applications

Ecosystem-ready is not just about robust engineering, security, and operational practices. Here's what your devops team needs to know.

Credit: Dreamstime

So you’ve developed cloud-native microservices, have a process to manage API keys, and documented the integration options. Your devops team thinks it's ready to publish the APIs and support application integrations. But are your APIs and applications ecosystem-ready?

Software as a service (SaaS) platform companies recognise the strategic importance of integrating into platform ecosystems and ensuring their technology provides more than APIs and plugins. Their technology can’t live on an island and must integrate with IFTTT platforms like Microsoft Power Automate, Zapier, and Zoho and integration platforms like Boomi, MuleSoft, and SnapLogic.

But ecosystems have broader business significance than discrete platforms; they connect supply chains, internal operations, partners, and customers. In The Future of Competitive Strategy, author Mohan Subramaniam discusses how all firms, including legacy businesses, can grow new product lines, become more efficient, and deliver other digital transformation impacts by developing production and consumption ecosystems. He defines production ecosystems as an internal avenue for a firm to unlock the value of data and separately defines consumption ecosystems as connections external to their value chains with suppliers, customers, and partners.

Going from API-first to ecosystem-ready strategies raises the technical requirements bar for devops teams, even when businesses only focus on internal production ecosystems. Developing an ecosystem-ready API, service, or application lets multiple parties leverage their interfaces, data, and functionality. The implications, whether spelled out in a service-level agreement (SLA) or not, is a level of robustness, reliability, and security expected by the consuming services and applications. 

What does it mean to be ecosystem-ready?

Marko Anastasov, co-founder of Semaphore CI/CD, shares this baseline definition of an ecosystem-ready application. “An ecosystem-ready application prioritises modular design, secure and well-defined APIs, and robust monitoring and performance tools,” he says. “It should seamlessly integrate with existing systems through open standards while ensuring safe releases through continuous testing and deployment strategies. Critical components include robust security measures, real-time system monitoring, and scalability solutions like containerisation and microservices.”

Let’s unpack this a bit:

  • Modular design implies that applications can be supported and enhanced easily.
  • Well-defined APIs mean they are documented and have defined use cases.
  • Robust monitoring and AIops ensure that customers know the API or service performs consistently.
  • Continuous testing with robust data helps reduce the risks of breaking downstream services.

I would also recommend that ecosystem-ready applications and services leverage feature flags and use canary deployments, especially if many consuming applications require high reliability.

Beyond these basics, ecosystem-ready implies that the devops team follows best practices around testing, data management, and identity. The team must also track dependencies, including third-party services, APIs, data sources, frameworks, and libraries.

“Ecosystem-ready applications must meet strict code testing requirements, validate their architecture against non-functional requirements (NFRs), adhere to sensitive data flow compliance, and track dependencies,” says Dennen Monks, principal system engineer at Bionic. “Examples include having a robust inventory of all APIs exposed and consumed across all services, validation of data broker services correctly implementing secret stores, authentication, and authorisation capabilities, and tracking dependencies on third parties that introduce security and operational risk.”

Embrace security requirements and testing

Beyond these basics, ecosystem-ready components require robust security implementations to avoid propagating security events and incidents to consuming services and applications. 

“Organisations serious about being a good ecosystem partner must make both north- and south-bound integrations as easy as possible through APIs,” says Filip Verloy, field CTO at Noname Security. “Organisations should focus on delivering secure code via API security testing and standard API integration documentation.”

What about security requirements? Brian Cafferelli, product marketing manager at Quickbase, notes that third-party security scans and built-in distributed denial of service (DDoS) protection are essential. "Then, set permissions at a granular cell level to ensure users only see what they need to see.”

Chandler Hoisington, chief product officer at EDB, adds, “Creating APIs ready for the ecosystem requires solid foundational systems that will be reliable, well documented, and easily maintained. For example, PostgreSQL is known for its robust security woven into its architecture, including encryption, authentication, and authorisation to ensure databases are secure.”

Organisations developing ecosystem-ready components should commit to technical and security standards, especially for services with sensitive information and compliance requirements.

Align with open standards

Having an ecosystem-ready component from the inside is more valuable when partners, customers, and other developers see evidence of underlying best practices from the outside in. One way to demonstrate the internal best practices is by committing to open standards that make it easier for architects to evaluate and for developers to integrate. 

A good place to start is identity management, since many ecosystem-ready applications must support authorisations and entitlements. “Ecosystem-ready applications should support all major open, interoperable protocols and standards, either natively or through service providers, such as SAML, OAuth, OpenID Connect, FIDO, and WebAuthn,” says Rishi Bhargava, co-founder of Descope. “This ensures the secure and consistent flow of user identities across the ecosystem and reduces the barrier to entry for any partner looking to integrate with the application.”

A second recommendation is how ecosystem-ready components implement observability, not just for internal diagnostics, but to enable consuming applications and services to trace issues backward up their service chains. “For monitoring and performance, using OpenTelemetry (OTel) is one non-negotiable requirement,” says George Miranda, head of ecosystem at Honeycomb. “An often overlooked benefit of using OTel for ecosystem-ready applications is the ease and reusability of product integrations. If a partnership opportunity requires bespoke work to ingest data in a proprietary format, that’s a roadblock.”

Simplify downstream integrations

Documenting ecosystem-ready APIs, services, and applications is just the basics, and businesses should consider how to make integration easier for downstream developers.

“Just documenting the APIs is not enough to foster a developer ecosystem,” says Deepak Anupalli, co-founder and CTO of WaveMaker. “A sandbox environment needs to be created where developers can easily understand how to use the APIs and integrate them into existing data sources to implement unique innovations.”

Anupalli  adds, “Design-develop-test-deploy cycles can become frequent and tedious in an ecosystem; however, with visual development tools and UI abstractions built on APIs like the ones offered by low-code platforms, iterations can be faster and more efficient.”

Ecosystem-ready components should look beyond IFTTT and integration platforms. Consumers may also use low-code and no-code platforms to build their services and applications. Making it easy to plug into these platforms is one way to expand the downstream developer audience.

Prepare for generative AI ecosystems

Lastly, organisations should consider generative AI use cases, including opportunities to develop and integrate with an emerging AI ecosystem. For example, an enterprise may look to build an ecosystem-friendly large language model that supports LLM embedding and prompting by third-party applications. 

“To leverage AI, companies need to align the SDLC with the AI model development lifecycle and support a dramatically expanding ecosystem of new data sources, infrastructure, models, and frameworks for AI,“ says Kjell Carlsson, head of data science strategy and evangelism at Domino. “The most successful firms have implemented open, flexible, and hybrid development and deployment platforms and invested in end-to-end governance and monitoring specifically for AI.”


Ecosystem-ready is not just about robust engineering, security, and operational practices. To be ecosystem-ready also implies ease of use for downstream users and future readiness to support emerging business cases. When devops teams meet these objectives, it’s far more likely that their ecosystem-ready components will have a greater business impact.

Show Comments