Gravitee: Introduction for creating APIs

Gravitee is one of the open-source options that exist in the market for API management. In this post, we will make a basic approach on how to mount or manage an API.

As a backend, we will use old examples. And in principle, we will not focus on how we should install it. Here is a docker-compose that will be the base of our example.

The first thing is to talk a bit about Gravitee and its components:

• Management API. It will allow us to carry out the administration remotely. Link to its documentation.
• Management UI: Graphic interface for administration. Which we will use mostly in the example.
• API Gateway: The Gateway in charge of doing all the work: Redirecting, checking plans, etc.

Now we can start creating our API. To do this we must access the URL of the administration console through the following link.

As you see when you enter the first time we will not have created any API, as is normal. Now we will proceed to create it. When we try to access for the first time, we can create an API in three ways:

• From scratch: We will go step by step indicating how we want our API.
• Through a Swagger file that defines externally as our API.
• Through a Gravitee’s own API definition, which will contain a higher level of configuration on it.

For this example, we will always make the API step by step. When we create an API, we will pass through a tutorial that will indicate how we want to configure the API. This tutorial will be divided into the following sections:

• General: It will allow us to indicate the name, description, version and context-path of our API.
• Gateway: It will allow us to indicate the backend. In this case: http://sandbox-camel:9090/book.
• Plan: This is an important section. It will allow us to indicate the type of access to the API, limit access to certain resources, or specify the type of subscription you will have. In our example, we will use a plan with Keyless security and with the Path Authorization section which only allows the path / and the GET and DELETE methods.
• Doc: It will allow us to associate documentation to our API.
• Deployment: It will indicate a summary of the current configuration and it will also allow us to create the API and deploy it with a simple click.

Once we created it, it will redirect us to a new section with the details of the API, from which we will be able to access your plans or subscriptions. As it is a Keyless API we do not require a subscription and therefore we will use it directly. In order to make it visible to everyone and to be able to see it we must click on the link MAKE PUBLIC, in the new section.

We will already have our API deployed and operational in Gravitee. Like is Keyless, we can test it through a GET call to http://localhost:8082/book/ without any other parameters. But remember that we have also indicated that we can only access the root route. So if we try to make the next call, http://localhost:8082/book/1, we will get this message:

{ “message”: “You’re not allowed to access this resource”,
“http_status_code”: 403 }

Now let’s see a little more about how the plans work. From the current section, we will go to the menu option Plans and edit it. Making the following changes:

• Restrictions: Add a limit of 5 calls per minute.
• Restrictions: Adding a quota of 20 calls per day.
• Path Authorization — whitelist: Add the path pattern ‘/{book}’ associated to the GET, PUT and POST methods.

Now we can call all the resources of our backend but at most 5 times per minute and 20 times per day. So if we make the call to http://localhost:8082/book/1 6 times, we will get the following message:

{ “message”: “Rate limit exceeded ! You reach the limit of 5 requests per 1 minutes”,
“http_status_code”: 429 }

And if we call more than 20 times in a day. We’ll obtain the following:

{ “message”: “Quota exceeded ! You reach the limit of 20 requests per 1 days”,
“http_status_code”: 429 }

As you can see, it is easy to create access policies on our API. And also you will have checked that after any change on the API or the associated plan, Gravitee will ask you to redeploy it:

Now we will see how to make an API that requires validation through a key and therefore this subscribed to an application, which will provide the same. We can choose between 3 types of keys: API Key, Oauth2, or JWT. For our example, we will use the simplest one, API Key.

To apply it, we must go back to the plan section of our API and create a new one, since we cannot modify the security of the previous plan. After creating it, we will have to publish it and deploy the API again.

Now we will proceed to go to the subscription section and create a subscription between the new plan and the default application already created. When we create the subscription, we will see the details of it and the Key API.

If we try again the call that allows us to get a book we will get the following answer:

{ “message”: “Unauthorized”,
“http_status_code”: 401 }

For a correct answer, we must add the X-Gravitee-Api-Key header with the value of our key.

curl — location — request GET ‘http://localhost:8082/book/1' \
— header ‘X-Gravitee-Api-Key: 5bbdac7d-dc88–4102–9e35-d29a6476cefd’

With this we will have seen the most important details in the creation of APIs. But in the section on the left we will be able to access other menu options that will provide us with more configuration:

• Proxy: Allows us to modify or add more, include CORS headers, health check to verify if the backend is operational or include a failover policy that allows us to indicate the maximum number of calls to a backend before moving to the next one.
• Design: Allows us to make policies before or after the calls. These policies will have associated actions. And resources and properties associated with these policies.
• Analytics: Provides a visual of the use of our API.
  Audit: Indicates all the configuration actions that we have done on our API.
• Notifications: Allows us to add alerts based on different events.
• Messages: Allows us to indicate how we want to receive messages.

I hope it has served you as a mini tutorial and approach to this excellent API management software. It is also important to note that although it is not included in the docker-compose, Gravitee has a user portal where you can view all those APIs that are public.