RFP Criteria for Choosing an API Management Solutio

These are suggested RFP criteria to consider when selecting an API management vendor
Jump to…
Section A. Vendor Experience
Section B. Deployment, Architecture & Administration
Section C. API/Microservices Creation & Deployment
Section D. API Security, Traffic Management & Mediation (API Gateway)
Section E. API Management & Analytics
Section F. API Socialization (Developer Portal)
Section G. Security
Section H. Training and Support
Section I. Industry Experience

Section A. Vendor Experience

Req. id Requirement
A1 How long has your corporation been in business?
A2 How long has your corporation been selling and supporting your
APIm product?
A3 Does your corporation have global reach? How many offices do
you have around the world?
A4 How many customers do you have worldwide?
A5 How many APIm customers do you have worldwide?
A6 If any components of your APIm solution can be sold separately,
how many customer do you have worldwide for these
components?
A7 Explain how APIm fits into your hybrid cloud integration strategy

A8 What were your corporation's annual revenues in the last 3 years?

A9 What were your corporation's APIm annual revenues in the last 3

years? If your corporate policy does not allow you to provide this
piece of information, is there an independent study/analysis that
shows or gives us an idea of your APIm worldwide market share?

A10 What is your corporation total R&D budget and APIM-specific R&D
budget?
A11 Please describe how your organization has innovated or led in
domain areas. Please provide examples of each
A12 How many customers use your API offering - please breakdown by
industry
A13 Please describe the roadmap for your API & Integration Offerings

A14 Is your APIm solution ranked by any analysts? If so, please

enumerate analysts and rankings
A15 Please describe how your offering integrates with ESB style or
other integration technologies using open standards and
automation
A16 Does your organization provide complementing integration
technologies that fit into the API management offering?
A17 Please describe your organization's experience of integrating
systems providing examples in our industry if possible
A18 Please provide references for your APIm offering
Return to Top
Section B. Deployment, Architecture & Administration
Req. id Requirement
B1 Do you offer a SaaS and on-premise versions of your APIm
offering?
B2 Does your solution provide flexible deployment options across
public and on-premise environments?
B3 Does the solution provide ease of deployment & management for
all components?
B4 Does your SaaS APIm offering run on your own IaaS?
B5 How many actual data centers around the world does your SaaS
offering run on?
B6 Does your SaaS and on-premise APIm solution support multiple
languages, e.g. English, Spanish, Chinese, etc.?
B7 Does your solution provide the same functionality and user
experience across different deployment options, e.g. SaaS multi-
tenant, SaaS single-tenant, on-premise, etc.? If not, please explain
what functionality is not offered on one vs. the other

B8 Does your solution include a console to manage and monitor all

infrastructure components, i.e. gateway servers, management
servers, load balancers, etc., of your APIm solution?
B9 Does your solution support environment promotion? Please
explain how. Can promotion to specific environments (e.g.
Production) be scripted and limited to specific roles?
B10 How does your SaaS APIm solution integrate with cloud
environments like IBM Bluemix, AWS, and Google?
B11 Can a single installation and instantiation of your APIm solution
support multi-tenancy?
B12 Please describe the availability and resilience characteristics of the
offering and any SLAs associated with it
B13 Please describe how High availability & disaster recovery can be
achieved
B14 How does your offering scale to meet increasing demand both
horizontally and vertically for both on-premise and cloud
B15 Please provide a logical overview diagram of the components
required to make up your offering both for cloud and on-premise
deployments
B16 Please provide an architectural diagram that shows how a highly
available solution could be built on-premise
B17 Please demonstrate how individual components of your solution
can be scaled in order to cope with demand both on-premise and
cloud
B18 Please provide an anonymized architecture diagram of a real
customer in production with your offering. Please provide a cloud
and on-premise version
B19 Please describe the ability of the solution to be monitored by
external enterprise tooling, listing any enterprise tooling that
works directly with your offering. Also include what metrics and
information can be monitored

B20 Please describe what tooling is available for administrators and

operators to interact and control the deployed environments for
both cloud and on-premise
B21 Can the deployments of code, infrastructure and configuration be
automated to ensure rapid delivery of a solution either on cloud or
on-premise?
B22 Please describe how maintenance, patches, fixes, upgrades are
applied to the offering
B23 Does your offering support integration with any messaging
technologies such as AMQP, MQ, Kafka, etc
Return to Top
Section C. API/Microservices Creation & Deployment
Req. id Requirement
C1 Does your APIm offering support model-driven API creation?
C2 Does your solution support out-of-the-box connectors to other
systems?
C3 Does your solution support the automatic creation of APIs and
their implementations via out-of-the-box connectors to backend
systems or data stores? Please describe how and also list backend
systems or data stores

C4 Does your APIm offering have built-in capabilities for creating and
running microservices? Please explain
C5 What languages does your solution support for the creation and
running of microservices, e.g. Java, Node.js, etc.?
C6 Does your APIm solution include a supported and managed
execution environment to run microservices, e.g. a managed
cluster of servers or nodes?
C7 Can your APIm solution automatically make APIs and Node.js
applications available on cloud platforms, such as IBM
Bluemix/AWS/Google Cloud, for consumption?
C8 Does your solution include developer desktop/laptop tooling to
create APIs, Node.js applications, and policy flows and to easily
deploy them to a managed local or cloud environment?
C9 Does your solution include SaaS tooling to create APIs, Node.js
applications, and policy flows and to easily deploy them to a
managed environment?
C10 Does your desktop/laptop tooling to create APIs, Node.js
applications, and policy flows offer the same functionality as its
SaaS version counterpart? If not, please describe the differences

C11 Does your solution use any framework built on top of Express?
C12 How does your offering integrate into a continuous development,
testing and deployment environment?
C13 Please describe the different options for developing APIs
C14 Please describe the markup languages that are used for API
development and how they are edited
C15 Is role based accessed enforced on developers?
C16 Please describe how mock APIs and prototyping is supported
C17 Does your API tooling allow the developer to model data?
C18 Can developers enforce schema validation?
C19 What security policies can developers enforce on their APIs?
C20 Can developers create transformation, routing, orchestration logic
inside of their API definitions?
C21 Does the developer experience change if they are developing for
the cloud versus developing for an on-premise solution?
C22 Can a developer work with XML & JSON as part of an API build?
C23 What are the primary languages that an API developer needs to
know in order to build an API?
C24 Can a developer expose a REST API from a SOAP web service?
C25 Can a SOAP web service be exposed from a REST API?
C26 Can a developer publish to cloud and environments and on-
premise environments from the same IDE?
C27 Can developers pull API definitions from any enviroment that has
published APIs?
C28 Can developers build multi-step proxy calls out to multiple back-
end services and present this as one API?
C29 Can developers create policies for individual operations on an API?

C30 What level of error handling can an API developer add to an API
definition?
C31 Can a developer provide additional documentation such as
descriptions, contact info and terms of service?
C32 Can developers control the visibility of an API when it is published?

C33 Does your development tools use any open source products or
packages?
C34 Does your development tooling require licensing? If so how?
C35 Does your developer tooling provide any testing capabilities?
C36 How can your development artifacts be plugged into testing tools?

C37 Does your developer tooling enable auto generation of APIs on top
of back end systems or databases?
C38 Does your developer tooling make use of a widely used framework
or package in order to build APIs?
Return to Top
Section D. API Security, Traffic Management & Mediation (API Gateway)
Req. id Requirement
D1 Does the solution provide a secure, purpose-built gateway? Please
explain
D2 Can your API Gateway execute customer's Java code? Please
explain
D3 What form factors do you support for your API Gateway?
D4 Does your API Gateway come in an hardware appliance form
factor? Please explain
D5 Does your API Gateway support cryptography acceleration in its
physical appliance form factor for TLS offload among other?
D6 Does your API Gateway require a database?
D7 Is your API Gateway UI browser-based or does it require a fat
client to be installed on a developer desktop/laptop?
D8 Can your API Gateway be used outside the context of your APIm
solution? Can your API Gateway be used separately from your
APIm solution?
D9 Does your API Gateway support XML, SOAP, WS-* related
standards natively?
D10 What other types of workload does your API Gateway support
beside SOAP and REST?
D11 How does your API Gateway support Node.js? Please explain
D12 What kind of rate limiting and quota enforcement features are
provided by your API Gateway?
D13 Does your API Gateway have any built-in capabilities for doing self-
balancing across a cluster of gateways and intelligent load
balancing to backend API provider layer?
D14 What security protocols and standards does your API Gateway
support?
D15 Does your API Gateway provide built-in support for schema
validation?
D16 Does your API Gateway provide built-in support for message digital
signatures & encryption?
D17 Does your API Gateway provide built-in security token translation?

D18 Can your API Gateway generate and validate JWT?

D19 Can your API Gateway generate LTPA Tokens?
D20 Does your API Gateway support a FIPS 140-2 Level 3 certified
Hardware Security Module (HSM)? Does it support a networked
HSM?
D21 Does your API Gateway natively support other transport or
messaging protocols besides HTTP, e.g. MQ?
D22 Does your API Gateway support wire-speed, native JSON and XML
processing?
D23 Does your API Gateway support transport protocol bridging, e.g.
from HTTP/SOAP to MQ?
D24 Does your API Gateway support JSON to XML, XML to JSON and
Any2Any message transformation without any coding or
extension?
D25 Can your API Gateway convert between SOAP and REST without
writing code or providing extensions?
D26 Does your API Gateway provide database & mainframe
connectivity?
D27 How is your gateway extended in functionality?
D28 Please provide any security accreditations your gateway meets
D29 Please describe how your gateway can be monitored
D30 Please describe the networking capability of the gateway device

D31 Please describe the upgrade process for your gateway including
the impact to production runtime
D32 What level of operating system patching is required in order to
keep the gateway secure?
D33 Please provide a list of customers that use your gateway offering
D34 What operating system does your gateway sit on?
D35 Does your API Gateway support routing and orchestration?
D36 Can your API Gateway be configured to be an OAuth provider?
D37 Can your API Gateway use XLST to do transformation?
D38 Does your API Gateway have a graphical mapper?
D39 Can your gateway redact fields in message payloads on input and
output?
D40 What level of error handling is available on the gateway?
D41 Is your gateway able to provide different activities or policies for
each individual API and operation on that API, i.e. POST, GET, etc.

D42 Does your gateway support POST, GET, DELETE, HEAD, PATCH &
OPTIONS?
D43 Can your gateway control, manage and shape API traffic? Please
describe the policies that can be applied
D44 How is API traffic reported from the gateway?
D45 Can multiple provider channels be exposed from the same
gateway with complete segregation? i.e. internal APIs and
external APIs running through the same gateway in isolation?
D46 Does your gateway support response caching?
Return to Top
Section E. API Management & Analytics
Req. id Requirement
E1 What REST API Description Languages does your solution support?
And what REST API Description Language do you support internally
in your runtime?
E2 Please describe your support for Open API, i.e. Swagger. Does your
corporation belong to the "Open APIs Initiative", i.e.
www.openapis.org?
E3 Do you support the creation of REST and SOAP APIs?
E4 Does your APIm solution have any out-of-the-box (OOTB)
integration points to automatically manage APIs from other
products?
E5 Does your APIm solution support built-in browser-based
visual/graphical message mapping?
E6 Does your APIm solution support an external IDE to do
visual/graphical message mapping that you can then deploy to the
runtime environment?
E7 Please describe the API Management lifecycle, versioning,
governance, & control. Does your platform support an API lifecycle
beyond API naming convention? Please explain
E8 Does your solution include logging capabilities? Please explain
E9 Does your solution include monitoring and alerting capabilities?
Please explain
E10 Does your solution support out-of-the-box policies for traffic quota
and throttling?
E11 Does your APIm solution include API analytics? If so, please
describe what API metrics are captured for analytics
E12 What components of your solution, beside the API gateway,
participate in the API analytics collection process? Would the
analytics collection process be affected if any of these components
experience an outage? Please elaborate

E13 Does your APIm solution support syndication?

E14 Please describe how an API is published from an internal endpoint
to an external endpoint
E15 Please describe the process for discovering services and APIs that
are to be published on your offering
E16 Please describe how policies are applied to APIs
E17 Can APIs be extended from their original endpoints to include new
functionality or data?
E18 Please describe how different environments such as Dev, Test,
Staging, Production can be deployed keep APIs in isolation from
each other
E19 Please describe how your API manager communicates with the
other components of your solution, such as the API Gateway,
Developer Portal, etc.
E20 Please describe how developer communities are managed?
E21 Please describe the role based access for management of the APIs

E22 Please describe the API build chain and how this can be automated

E23 Please describe how templates from other API definitions can be
used to create new APIs sharing common functions and operations

E24 Please describe how APIs are version controled at development

time
E25 Please describe the interaction with user registries for API
management
E26 Please describe the logical hierarchy of how APIs are deployed and
the benefits your offering gains from doing it in this way
E27 Can your offering enforce approvals on users when moving
through the API lifecycle?
E28 Can the visibility of APIs be controlled? Please give examples
E29 Can the same APIs be deployed to both internal users and external
users but behave differently based on context?
E30 Can APIs be grouped in a way that allows them to be consumable
by specific audiences?
E31 Please describe your product's ability to report data on your
offerings usage including screenshots
E32 Does your offering provide customizable dashboards that are
consumed through role based access?
E33 Can your dashboards be presented outside of the offering for
consumption by non-technical users?
E34 Please list the data points that are collected for each API call
E35 Can trends of usage be analyzed over time using the tooling?
E36 Can data collected be exported and consumed by other tooling?
E37 Is data available in JSON or CSV formats?
E38 Is the data collected from the API usage asynchronously to prevent
any performance impact on runtime?
E39 Can errors and failures be reported in the analytics?
E40 Are there maps available in the dashboards for detailing geo-
location of API calls?
E41 Can API call performance be reported in the tooling?
E42 Can payload data be captured and used for reporting?
Return to Top
Section F. API Socialization (Developer Portal)
Req. id Requirement
F1 Does your Developer Portal include built-in social capabilities, such
as Forums, Blogs, API ranking, API comments, etc.?
F2 Does your Developer Portal leverage any Content Management
System?
F3 Do you offer self-service to provision your SaaS Developer Portal?
If not, what is the process to provision a SaaS Develop Portal and
how long does it take for it to come online?
F4 Does your Developer Portal include an easy-to-use test harness for
App developers to try and test APIs
F5 Does your Developer Portal provide self-service API testing
capabilities? Please explain
F6 Does your Developer Portal provide sample code to invoke an API
from different platforms, e.g. Swift, Java, Node, Python, Ruby, PHP,
cURL, Go, etc. that can be easily copy-and-pasted?
F7 Does your Developer Portal include capabilities to create Support
tickets and access FAQs?
F8 Is your Developer Portal customizable? Can the Developer Portal
be customized to the look, feel and style of our branding? Please
explain
F9 Does your Developer Portal allow for self-service App and client
secret registration?
F10 Does your Developer Portal allow for the masking of the client id
and secret when generated by system?
F11 Please describe what information is available to subscribing
developers when they visit the Developer Portal
F12 Does each developer or developer organization get usage
information for the APIs they have subscribed to?
F13 Describe the on-boarding process for new developers wanting to
subscribe to APIs
F14 Is the user registration form customizable?
F15 Does your Developer Portal provide the ability to stop developers
from using the APIs after they have subscribed?
F16 Can different developer portals be created for specific audiences?
If so how is this done?
F17 What is the method of communication used to interact with the
developers who have signed up to your Developer Portal?
F18 Can additional content be added to your Developer Portal above
and beyond API documentation?
F19 Please provide public examples of developer portals that are using
your offering
F20 Can the visibility of specific APIs be controlled by who has signed
up to the Developer Portal?
F21 Does your Developer Portal have OAuth testing tools which enable
the complete testing of APIs that are secured with all of the OAuth
flows?
F22 Is there an active commmunity of modules or plugins that can be
added to the Developer Portal?
F23 Please describe how your Developer Portal can be extended using
open technologies
F24 Can control of your Developer Portal be driven via REST APIs?
F25 Please describe the upgrade process for your Developer Portal and
the impact it has on production runtime
Return to Top
Section G. Security
Req. id Requirement
G1 Does your APIm solution include security capabilities to manage
Users, Roles, TLS Profiles, and User Registries? Please explain

G2 What security roles does your APIm solution include out-of-the-

box?
G3 What types of external user registries does your APIm solution
support?
G4 Does your APIm solution include capabilities to manage developer
organizations, applications and subscriptions? Can it also manage
developer organizations from cloud providers, such as IBM
Bluemix, AWS, or Google? Please explain

G5 Does your Developer Portal provide any 3rd-party authentication

mechanism?
G6 Can your Developer Portal use an externally controlled user
registry such as LDAP?
G7 Does your Developer Portal have new user creation self-service
capabiliites?
G8 Does your Developer Portal support CAPTCHA for self-service new
user creation as well as API Comments?
G9 Does your Developer Portal include invalid password lockout?
G10 Is your API Gateway DMZ-ready out-of-the-box?
G11 Does your API Gateway support FIPS 140-2 Level 3 and Common
Criteria EAL4?
G12 Does your API Gateway support out-of-the-box integration to
third-party user access management systems, such as IBM Security
Access Manager, CA Siteminder, etc.?
G13 Does your solution come with built-in OAuth Token support &
Token Management System? Or does it require a third-party
solution for this? If third-party OAuth provider is needed, what
OAuth provider solutions do you support?

G14 For cloud based hosting please describe the connectivity options
to ensure secure communication and the types of customers who
trust this connectivity using real examples
G15 Please describe how your offering would address the OWASP Top
10 threats
G16 Please describe the token mechanisms your offering supports
G17 What Authorization and Authentication mechanisms does your
offering support on an API level
G18 How does your offering secure payloads and channels?
G19 Please provide a list of supported security standards
G20 Please describe how granular your system access can be defined

G21 Please provide the level of control and visibility users can be
granted
G22 Please list all recent vunerabilities that your offering had to be
patched on to become secure e.g. heartbleed, openSSL,
ShellShock, Data Loss, Drown
G23 Please highlight other security features that come with your
offering that would be of benefit to us
G24 Please provide a list of all security accreditations for your offering

G25 Does the offering support HTTP/S?

G26 Please describe how policies are created
G27 Please describe how policies are enforced
G28 Please describe the security mediation features of your offering
G29 Please describe how the interation between developers and the
published APIs are secured
G30 Please describe how you ensure platform security on your cloud
offering
G31 Does your offering supply any OAuth testing tools?
G32 Can a developer create an OAuth provider endpoint?
Return to Top
Section H. Training and Support
Req. id Requirement
H1 Please describe the support model your organization provides
H2 Please provide SLAs for any cloud environments
H3 Please provide a link to user communities for your offering
H4 Please provide a link to the public documentation for your offering

H5 Please provide public links to reference architecture that is

relevant to your offering
H6 Please provide links to any freely available tutorials for your
offering
H7 Please provide details of the free training that your organization
provides for your offering
H8 Please provide details on the professional services you offer in
order to implement an APIm solution
Return to Top
Section I. Industry Experience
Req. id Requirement
I1 Please describe your company's vision for API usage in my industry

I2 Please describe your company's experience in supporting my

industry outside the API management domain
PI Management Solution
ting an API management vendor

Mediation (API Gateway)

Response
Response
Response
n (API Gateway)
Response
Response
Response
Response
Response

Response