Setting up an API in API Manager means registering it, putting a proxy in front of it, attaching the policies that protect it, and giving consumers a way to request access. These steps assume you have an Anypoint Platform account with API Manager and an environment selected.
- Add the API to API Manager
In API Manager, choose to manage a new API. Point it at the API specification in Exchange or at the endpoint you want to govern, and let API Manager create the managed proxy that consumers will call instead of the backend directly.
- Apply a starting policy bundle
Open the API and add policies. Begin with Client ID Enforcement so callers must present credentials, then add Rate Limiting or an SLA-based limit. Keep the bundle small and note the order, since policies run in sequence on each request.
- Define SLA tiers
Create the tiers consumers can request, for example a Basic tier with auto-approval and a Premium tier with manual approval. Each tier carries its own rate limit, so one API can serve internal, partner, and public callers from a single deployment.
- Approve contracts and monitor
As consumers register applications and request access, review and approve each contract rather than auto-approving. Then watch response time, error rate, and throughput in Runtime Manager and set an alert so threshold breaches reach the team by email.
Requires every caller to send a valid client ID and client secret, tying each request to an approved contract.
Caps requests over a time window, either flat for the API or per SLA tier so different consumer classes get different limits.
Validates incoming tokens against an external OAuth 2.0 provider when you need token-based access rather than client credentials alone.
Smooths sudden bursts of traffic so a momentary flood does not overwhelm the backend service behind the proxy.
- Auto-approving every contract turns contracts into paperwork and removes the attributable-access benefit that justifies them.
- Each policy adds a step to the request path, so an over-stuffed bundle raises latency and is hard to audit later.
- Policies live on the proxy, so a consumer who reaches the backend endpoint directly bypasses them; lock down the implementation so only the gateway can call it.
- Skipping versioning makes any breaking change a coordinated emergency across every consumer at the same time.