(no title)

It concerns a large multinational in the transport sector. While we have built up a strong digital department, there's a lot of catching up to do, so the more 'batteries included' any given solution has the better.

On the other hand, it's crucial that we can extend any given tool as there will undoubtedly be unforeseen or non-default scenarios. For example: we'd love to perform some analytics on not just what customers are calling the APIs, but perform more detailed queries based on e.q. request parameters, geoIP, or perhaps even User Agent headers. It is absultely no problem to have to do this ourselves by performing raw queries on the database, and perhaps built our own dashboard around it, but again; if there's something that already covers a lot of these cases that'd be ideal.

The minimum required functionality is that the tool can operate as an authenticating proxy, only passing on requests when the e.g. OAuth2 headers are verified. Other security aspects, such as throttling and rate limiting are a requirement as we're dealing with systems that must be protected from unforeseen load.

Nice to haves are features such as autogenerated documentation pages, where clients can test the APIs from within their browser. On the other hand: rolling this ourselves using Swagger wouldn't be a problem either.

Research so far has included looking at some open source tools, e.g. Kong[1] from Mashable, apigee[2], reading up on Gartner's magic quadrant re. API management, and demos from IBM and CA. Costs of these vendor tools aren't a major concern, lack of modifiability absolutely is. I'm currently leaning towards Kong, but am wondering if others have interesting experiences to share.

[1]: https://getkong.org/ [2]: https://apigee.com/ [3]: https://www.gartner.com/doc/reprints?id=1-2DC669J&ct=150409&...