Best practices for developers

API design in public administration

Inventory management tools

Centralised API management tools

First and foremost, you should inventory and select API management tools. The management tools will enable you to make rapid progress in the actual work on APIs and avoid unnecessary effort.

Key management tools are:

Developer Portal
API Gateway
API Manager
API Analytics.

Tapio Tiili, Principal Consultant at Reaktor Oy, stresses lead time thinking:

An individual high-quality API can be implemented very fast if the environment is favourable for this.

Tiili also emphasises the importance of co-development:

In a favourable operating environment, implementing APIs may even be considerably faster than making decisions on them.

You should plan an operating model that relies on APIs and an implementation method based on them already before making the procurement.

Updated: 8/5/2026

Choose a solution that is a good fit with the organisation’s infrastructure

Select the management tool based on the following criteria:

Costs and ease of use: Cloud-based solutions are often cost-effective and easy to deploy.
Meeting basic needs: Ensure that the tool supports all key API management functions (such as access rights management, verification of authorisations and usage monitoring).
Compatibility: The tool must work seamlessly with the organisation’s existing infrastructure.
Continuity: Check that the API management tools have permanent funding that does not depend on individual projects.

Management tools are supplied by

commonly used cloud service providers
separate system suppliers
open source code projects.

Comparing the basic functionalities of the solutions is easy.

In practice, interoperability with the rest of the organisation’s infrastructure is often more important than the differences between individual solutions' management features.

Updated: 6/5/2026

Developer Portal facilitates deployment

API Developer Portal is a software developers' website for finding and testing APIs and requesting access to them.

The Developer Portal is a single site where all the organisation’s APIs are listed and can be found.

It contains an up-to-date description in two formats:

in readable format
in a format that developers' tools can use automatically.

In the Developer Portal, the organisation’s APIs can be documented in a sufficiently consistent way. At best, it creates a structure for content production that guides developers to describe the APIs uniformly. This makes it easy for an outsider or a new person to understand the way they work and the added value they offer.

The Developer Portal may also contain

ready-made reference implementations showing how an API can be used
analytics data on how the APIs work
service disruption notices
information about API versioning and life cycles
contact details of persons who can help with deployment or fault reporting.

Several different API description languages have been created for Developer Portals. OpenAPI is the most commonly used one in connection with RESTful architecture style. OpenAPI is an open-source API specification format.

It is used to describe the API in a standard, machine-readable format, which facilitates documentation, testing and software compatibility.

Due to its implementation method and popularity, it is compatible with different tools, platforms and programming languages.

Mika Hyyrynen, leader of the Tax Administration's API team, notes that the Tax Administration has used an API Portal (https://api-developer.vero.fi/apisOpens in a new window.) since 2023, and it has proven useful for both developers and customers.

The portal operates as a centralised platform that links different actors' needs and makes it easier to control suppliers and developers.

- Mika Hyyrynen, Finnish Tax Administration

Updated: 6/5/2026

Use API Gateway to manage access rights

A public sector organisation typically manages dozens or hundreds of APIs. As a basic premise, they all have the same fundamental requirements:

access control
usage monitoring
limitations and prioritisations of use.

Redoing these basic things for each API is a waste effort.

API Gateway, or a centralised publication channel, is software that

manages API access rights and authorisations
implements information security policies
controls and prioritises network traffic
limits and manages the total load of back-end information systems
operates caching.

All cloud service providers offer their own products, and open source products are additionally available.

The API Gateway is also an efficient design principle and architecture model. It is a single hub that hides complexity and centralises authentication, access monitoring, and traffic limitations. Read more: Charest, G. 2020.Opens in a new window. API Principles and Practices Use of the API Gateway and Portal.Opens in a new window. Harvard UniversityOpens in a new window..

A secure API management system is a way of creating a secure production system with much less effort. You do not need to learn about all threats, and the system is still built to tackle them.

- Juha Karvonen, Partner Solution Architect, Microsoft

By this, Karvonen refers to the principle of 'Security by Default'. Read more about the Security by default principle.Opens in a new window. (National Cyber Security Center 2024)Opens in a new window..

Updated: 8/5/2026

Use analytics for optimisation

Millions of rows of log entries can be rapidly accumulated from API use. Getting an overview based on them often takes a lot of effort. This is why you need software that analyses log entries and visualises information in a format that is easier for humans to understand.

Analytics that converts log data into observations is almost unavoidably part and parcel of API management.

Analytics helps all parties resolve various fault situations. It also enables knowledge-based decision-making in API issues. The data should be refined for development, business, customer management and information security purposes. For example, API logs can serve as a data source for a Security Operation Center (SOC) that produces an overview.

The purpose of API analytics is to keep track of which APIs each user has used, how and when. For the part of freely available data, examining the total volume of use and its distribution is interesting. With regard to restricted data, checking their use is also important in questionable situations. In some use cases, you even need to drill down to the level of individual data content and user IDs.

Professional provision of APIs requires an ability to monitor API use, both at the level of an individual query and as various statistical compilations.

API analytics produces important data for knowledge-based management of services and the organisation. Analytics can be used in different ways to optimise digital service development.

For example, the volume of API usage, the user, date and time can be valuable information in terms of API maintenance and development. The number of various errors and latency (in milliseconds) are also often valuable information for maintenance and development purposes.

Updated: 6/5/2026

API Manager for API operators

The API Manager, or management feature, is intended for API operators.

The following aspects are specified in the information system:

which APIs are enabled
which back-end systems they call
API protocols
identification methods
access rights.

The definitions made in the management functionality are transferred to the API Gateway component, which in practice implements the desired functionalities.

A high-quality API Manager component can generate for each API a suitable test dataset that is similar to authentic data content, however without allowing the tester to use the authentic system. This feature known as the sandbox helps users learn about APIs. Automated or semi-automated sandbox creation saves a significant amount of working time.

Mika Hyyrynen, leader of the Tax Administration’s API team, describes this model as a self service:

The Tax Administration’s API team stresses that you should be able to deploy APIs easily as a self-service. This requires good documentation and a sandbox environment for experimentation.

The Tax Administration has largely followed the general good practices of API work, which has made both development and production easier. The sandbox is used both for experimentation and for sparring software suppliers.

Updated: 6/5/2026

API specification tools

The management tool may also include a browser or separate application that facilitates API specification. The specification tool produces a set of API specifications for the other management system components.

Updated: 6/5/2026

Internal management solutions of the organisation

The organisation’s internal APIs may be managed differently from external APIs.

Three commonly used options for managing internal APIs are available:

No separate management: If the technical documentation is easily accessible and the APIs have a limited group of users, separate management may not be needed. Instructions for use may be included in the documentation available to other developer and maintenance teams. This model may be particularly suitable for small and limited environments.
The same management solution for internal and external APIs: If there is a large number of internal developer teams or the organisation wishes to benefit from systematisation, internal APIs can be managed in the same way as external ones. In this case, locating the API Gateway in the same data center or cloud service as the organisation's other services is recommended to minimise the impact of network disruptions.
Service mesh model: In this model, a separate system and Developer Portal is created for managing internal APIs in the same way as in option 2, but data connections link the calling information system directly to the system providing the API. While this combines manageability and efficiency, it may require more learning at the beginning.

Mika Leivo, Chief Data Architect of the City of Helsinki, stresses that a hybrid environment with both a data center and cloud services is a more secure option than a data center solution alone:

The hybrid solution also brings added value compared to a data center based solution in terms of security, and the experience and solutions of large cloud service providers are useful, particularly in the prevention of denial of service attacks.

Updated: 6/5/2026

Are you satisfied with the content on this page?

Glossary

Digitalise your service path

Enhance information management

Improve service quality

Protect your data

Open, share and utilise data

Enhance information management

Protect your data

Develop responsibly

Open, share and utilise data

Inventory management tools

Centralised API management tools

Create favourable conditions for APIs

Choose a solution that is a good fit with the organisation’s infrastructure

Developer Portal facilitates deployment

Example of API Developer Portal's description language

Tax Administration's Developer Portal

Use API Gateway to manage access rights

API Gateway's three key functionalities

API Gateway limits the number of calls

API Gateway can automate content production and communication

API Gateway is primarily a communication and security server

Use analytics for optimisation

Ability to monitor API use

Example: response time to API calls is an essential factor

API Manager for API operators

Generation of test datasets in API Manager

API specification tools

Internal management solutions of the organisation

A Developer Portal also for internal APIs

A hybrid environment is more secure than just a data center

Are you satisfied with the content on this page?