The Challenges of Consuming APIs on Behalf of your Clients

Are you a COBO company?

From the perspective of API consumption management, we've crystallized over time that there are two main categories of API consumers, each presenting its own unique challenges and characteristics:

1. Direct Consumers of APIs: These are companies that directly consume external APIs to integrate resources, aggregate data, or perform analysis. A prime example comes from the last-mile delivery and logistics tracking sectors. Companies like Route4Me or Onfleet are direct consumers of APIs that provide mapping, routing, and real-time tracking services. These platforms integrate with external resources such as Google Maps API for route optimization or Twilio API for communication, directly managing their own API keys to deliver precise logistics solutions. By directly consuming these APIs, they can offer efficient routing, real-time tracking, and customer notifications, ensuring that deliveries are made quickly and accurately.
2. API Consumers on Behalf of (CoBo) Companies: In contrast, CoBo companies operate by consuming APIs on behalf of their customers. These companies typically handle the API tokens of their customers to provide services such as visibility, analytics, threat detection, and resource optimization. Examples of CoBo companies include cloud security providers like Palo Alto Networks Prisma Cloud, which integrates with a customer’s cloud environment to monitor and secure their infrastructure. Using their users API tokens to access and analyze cloud resources. Similarly, low-code/no-code platforms like Bubble allow users to build apps without coding but manage API integrations on behalf of the user, consuming their API keys to connect with third-party services. Another example is SaaS security providers, such as SaaS Security Posture Management (SSPM) tools, which integrate with a customer's existing SaaS services to monitor and optimize their security posture.

Each of these categories presents its own unique challenges. In this post, we will focus on analyzing the specific challenges faced by CoBo companies and discuss best practices for managing and optimizing API consumption when operating on behalf of customers.

Challenges Faced by CoBo Companies

One of the primary challenges CoBo companies encounter is the Noisy Neighbor problem. In the context of companies consuming the API tokens of their customers, this issue arises when the CoBo company competes for the same API quota and resources   with the customer And with other CoBo products/services their user uses. When the CoBo company’s usage is heavy or bursts unexpectedly, it can consume a significant portion of the shared quota, leaving the customer with limited or no capacity to make their own API calls. This can lead to performance degradation, failed requests, and a direct impact on the customer’s operations, creating friction and dissatisfaction.

Another critical challenge is the Lack of Visibility into API Consumption. Without real-time tracking of how APIs are being consumed on behalf of customers, CoBo companies may face severe service degradation and longer processing times, ultimately leading to SLA violations. For example, in cloud security or SaaS security contexts, failing to monitor consumption accurately can result in scans that take far longer than expected. When a disruption occurs during a scanning process, it often necessitates restarting the entire scan, further exacerbating delays. This issue becomes increasingly problematic as CoBo companies scale and onboard larger customers, where API consumption grows significantly. Inefficiencies in API usage can dramatically impact scanning times, turning what used to be an hours-long process into one that spans days. This not only frustrates customers but also puts the CoBo company at risk of breaching SLAs, leading to further friction and potential loss of business. For instance, we had a case where a customer’s scanning process of a cloud provider’s API, which initially took just minutes, eventually stretched into days once an enterprise customer started to use their product, due to these inefficiencies—an outcome that was understandably met with considerable frustration.

Another significant challenge that CoBo companies face is dealing with APIs that impose a quota on an Application ID. This means that even if the CoBo company is consuming an API on behalf of multiple customers, the total consumption is still bound by the quota assigned to the application itself, not just the individual customer accounts.

For example, consider the Microsoft Graph API, which has a quota limitation on the application level. If a CoBo company provides a service, such as scanning for malicious threats in emails across multiple Office 365 accounts, it will be constrained by the application-wide quota, Meaning that one tenant effect the limits of others.This limitation can significantly impact the CoBo company's ability to perform timely scans, leading to longer processing times, potential SLA breaches, and further complicating the management of API consumption. The lack of visibility over the process can exacerbate these issues, making it difficult for the CoBo company to optimize its operations and ensure consistent service quality for all its customers.

This scenario underscores the importance of not only managing API keys and consumption quotas but also understanding the limitations imposed by API providers at the application level, which can have far-reaching consequences for CoBo companies operating at scale.

Additionally, there's a significant Risk of API Key Exposure. Since CoBo companies are in possession of their customers' API keys, they hold a sensitive asset that represents a substantial security risk. If these API keys are visible to CoBo developers or other members of the organization, it opens the door to potential insider threats or unauthorized access. In the event of a security breach or compromise within the CoBo company, these API keys could be exploited, leading to unauthorized actions or data breaches that directly affect the customer. The exposure of API keys represents a serious threat, as it could lead to widespread unauthorized access, data theft, or service disruption, with far-reaching consequences for both the CoBo company and its customers.

Lastly, there's the challenge of Auditing Proof, particularly for customers operating in highly regulated industries. These customers need to have a clear understanding of what actions have been performed by the CoBo vendor when in possession of their API keys. To remain compliant with regulations, it’s crucial to map out the CoBo company’s actions, access patterns, and the data exposed over time. However, without proper controls and auditing mechanisms in place, it becomes difficult for both the CoBo company and its customers to track and verify how API access was handled. This lack of transparency can lead to compliance issues, mistrust, and potential legal ramifications if the actions taken by the CoBo company cannot be adequately documented and justified during audits.

Best Practices for Mitigating CoBo Challenges

The first and most crucial step in addressing the challenges faced by CoBo companies is to gain comprehensive visibility over API consumption. This visibility is key to understanding what data has been accessed, assessing the impact of that consumption, and determining the necessary governance actions. With clear insight into consumption patterns, companies can make informed decisions to mitigate risks and optimize their operations.

1. Mitigating the Noisy Neighbor Problem:
   • Real-Time Tracking: Keep track in real time of how much of the customer's API quota is being consumed. This ensures that you are aware of your usage and can adjust it as necessary to avoid overwhelming the customer's resources.
   • Threshold Alerts: Implement alerts that notify you and the customer when consumption is approaching critical thresholds. This proactive approach allows the customer to take action before their quota is exhausted, preventing unexpected service interruptions.
   • Client side limits/Consumption Boundaries: Define and enforce consumption boundaries, whether through hard limits or soft limits, to ensure that your usage does not negatively impact the customer's operations. This helps maintain a balance between your needs and the customer's service quality.
   • Optimal Timing of API Calls: Where possible, schedule your API calls during periods of low traffic, such as night-time or weekends. This strategy allows you to utilize more of the quota while minimizing the risk of impacting the customer's SLA during peak hours.
2. Managing the Customer's API Keys:
   • Secure Storage and Ephemeral Keys: Store the customer's API keys securely and generate subkeys, often referred to as ephemeral keys. These keys can be provided to developers without exposing the actual API key of the customer. This approach allows:
     • Developer Isolation: Developers are never exposed to the actual API key, reducing the risk of accidental or malicious misuse.
     • Governance: The CoBo company can implement governance over who uses each ephemeral key, tracking consumption and setting specific sub-quotas and usage policies.Note: You will need to create some kind of proxy that capture the traffic and replace the ephemeral token with the original secret token

• Centralized Key Management: Managing API keys from a centralized, secure location improves key security and simplifies authentication processes. This setup also facilitates key rotation and ensures that all authentication occurs through a controlled and secure environment.

3. Providing Auditing Proof:
   • Comprehensive Tracking: Keep detailed records of all API requests made from the CoBo's application. This includes logging who made the API call, the data requested (whether in the payload or query parameters), and the data retrieved in the API response.
   • Audit Readiness: Accumulate and securely store this information for future reference, ensuring that you can provide comprehensive proof if the customer requests an audit. This transparency not only helps maintain customer trust but also ensures compliance with regulatory requirements.

***

If you're a CoBo company grappling with the challenges of managing your customers' API consumption, it's crucial to implement the right strategies to ensure smooth operations and maintain customer trust.

At Lunar.dev, we specialize in helping companies like yours gain visibility, governance, and optimization over API traffic.

If you'd like to learn more about how we can support your organization in overcoming these challenges, feel free to reach out.

We're here to help you ensure that your API consumption is efficient, secure, and fully compliant with industry standards.

‍