The Payments InstituteJuly 21-24, 2019 • Emory University, Atlanta GA

School of Study: Masters, Payments Innovation and Technology, and Payments Risk Management Masters Programs

Advanced APIsXYZs of APIs

Orlando Santos, Payrailz

So what is an API?

Always on and communicating real-time

• Anyone that has integrated a third-party service or completed an acquisition understands the effort required to get different systems to communicate with each other. APIs are tools that do just that. Acting as a sort of universal adaptor for data, APIs create a common language for different systems to communicate and exchange information.

• Traditionally, APIs have been proprietary, non-standardized, and designed for internal use only. Today, the industry is developing open API standards that can facilitate data-sharing between companies.

And what are APIs used for?

And what else are APIs used for?

Are there more uses for APIs?

Always on!

• Locations

• Make an Appointment

• Account Validation Services

• Foreign Exchange

• Payment Initiation

• Push to Card

• Payment Status

• Positive Pay

• Login/Verify Login Credentials

• Statement Download

• Account Balance/Aggregation

• Image Retrieval

• Tax Information

• …

And even in Financial Services!

Designing an API

Design Considerations

• API design or API architecture refers to the process of developing a software interface that exposes backend data and application functionality for use in new applications.

• A well-designed API should reflect the goals of the business it is designed to serve –otherwise API design can actually hinder the objectives driving the interface’s creation.

• API architects should always focus on real-world requirements rather than technical elegance.

• There is a common belief that Web APIs should conform to the constraints of the REST architectural style.

• APIs should be designed around core practical considerations.

Developer Community Considerations

• One of the key principles of good API design is that an interface must provide a seamless and user-friendly developer experience (DX) if it is to facilitate the creation of applications that add value to the API owner’s business.

Web API Architectural Styles

• Web API describes any software interface that is exposed over the Web using the HTTP protocol in order to facilitate application development(but not limited to any particular message format, pattern or implementation).

• For a Web API to function effectively, it must meet a range of functional and non-functional requirements. These requirements are essentially software qualities the interface should display.

API Architectural Layers

• The API server architecture is divided into a number of layers, through which each request must travel before reaching the API implementation itself. Each layer allows the interface to meet a key functional or non-functional requirement.

• This simplifies the process of interface design because each key software quality is abstracted away from the API implementation and handled in a centralized API server architecture, which can be used across multiple interfaces.

Layered Style of API Architecture

• The USE Paradigm states that, by focusing on designing a Web API that exhibits these three qualities, you can create an interface that offers a better experience both for the developers who build client apps against your API and the end users who consume these apps, while also extending the longevity of these apps…

API USE Paradigm

• Take into consideration who your target developers are, what they are interested in doing and what skill level they have.

• Must be able to effectively handle a growing workload over time.

• Must have evolvability to be able to grow and handle extra load over time. API should be able to evolve and adapt to changing circumstances. Make systems adaptive by designing in the ability to extend in order to quickly react to new developer needs and possibilities without breaking existing client apps.

API USE Paradigm

• Microservice architecture is helping an increasing number of organizations to minimize the time required for software application projects and to maximize the reliability of backend systems. APIs are essential to microservice architecture.

Microservices Architecture

• Each microservice delivers a focused set of functions enabling systems and applications to be quickly composed by combining functionality from a collection of services.

Dissecting an API

• A private API is an interface that opens parts of an organization’s backend data and application functionality for use by developers working within (or contractors working for) that organization. The new applications these developers create may be distributed publicly but the interface itself is unavailable to anyone not working directly for the API publisher.

Private or Public?

• An open or public APIs is an interface that has been designed to be easily accessible by the wider population of Web and mobile developers. This means an open API may be used both by developers inside the organization that published the API or by any developers outside that organization who wish to register for access to the interface.

Private or Public?

• REST (Representational State Transfer) API has no official standard at all because it is an architectural style.

• SOAP (Simple Order Access Protocol) API has an official standard because it is a protocol.

• RESTful Web services (RWS) allow the requesting systems to access and manipulate textual representations of Web resources by using a uniform and predefined set of stateless operations.

• In RWS, requests made to a resource's URI will elicit a response with a payload formatted in HTML, XML, JSON, or some other format.

SOAP v REST

• When HTTP is used, the operations (HTTP methods) available are GET, HEAD, POST, PUT, PATCH, DELETE, CONNECT, OPTIONS and TRACE.

SOAP v REST

• Both JSON (JavaScript Object Notation) and XML (eXtensible Markup Language) can be used to receive data from a web server.

• XML is much more difficult to parse than JSON.

• JSON is parsed into a ready-to-use JavaScriptobject.

JSON v XML Syntax

• OAuth is about authorization and not authentication.

• OAuth 2.0 tells you what somebody is allowed to do. Authorization is asking for permission to do stuff.

• The common analogy is OAuth is the valet key to your car. The valet key allows the valet to start and move the car but doesn’t give them access to the trunk or the glove box.

Open Authorization (OAuth) Protocol

• Authentication is about proving you are the correct person because you know things.

• API keys

• OAuth access tokens

• JSON Web Tokens (JWT)

• IP Whitelisting

API Authentication

• API testing is entirely different from GUI testing and mainly concentrates on the business logic layer of the software architecture. This testing won't concentrate on the look and feel of an application.

• Instead of using standard user inputs (keyboard) and outputs, in API testing you use software to send calls to the API, get output, and note the system's response.

• An API Sandbox is an environment that testers can use to mimic the characteristics of the production environment and create simulated responses from all APIs the application relies on.

How do I test an API?

• Extended reach to new markets and devices (IoT/IoE)

• Generate new business/customers

• Enhanced branding

• Competitive advantage

• Better partner/supplier alignment

• Increased innovation and scale

Business Drivers of APIs

API Lifecycle Management and Governance

Reinventing Bill Pay…with APIs

• The current bill pay model is broken and ripe for disruption; for all stakeholders, the experience is inadequate and fragmented.

The market opportunity

The market opportunity

Transaction Flow – ACH/RTP/Card

Consumer Initiated Linking via Partner

Afinis – Furthering Standardization of APIs Using REST/JSON and ISO 20022

Who is Afinis?

• Afinis Interoperability Standards is a membership-based standards organization that brings together diverse collaborators – through innovative and agile processes – to develop implementable, interoperable and portable standards across operating environments and platforms.

• Afinis seeks to advance API standardization and other financial services standards to increase efficiency, innovation and interoperability in the industry.

• Standards drive adoption. Adoption drives ubiquity.

Afinis Members

API Lifecycle Management and Governance

API Catalogue

APIs in Development

Payments Federated Directory

• Enables payees (billers, merchants, etc.) to register their electronic payment identity.

• Allows payees to specify their preferred method of payment.

• Enables payers to retrieve APIs to facilitate electronic payments.

• Allows multiple payment types to be listed in the directory.

• Supports related business information.

• Supports retrieval of payment routing instructions.

• Furthers electronification of payments for various use cases.

Payments Federated Directory Roles

Credentialed Service Provider (CSP) 1

CSP1 Payer/Financial Institution

Credentialed Service Provider (CSP) 2

CSP2 Payee/Financial

Institution

Central Authority (Blockchain), Nacha, ACH Network

CSP-2-CSP API Initiate Payment APITransaction Status API