API Evangelist

API Governance at the Agent Consumption Layer: Governing 405 Operations Across 36 APIs Without Changing Team Behavior

APIDays Amsterdam

Kin Lane
API Evangelist
[email protected]

01 / 09

My API Governance Journey

Kin Lane API Evangelist My API Governance Journey Chief Evangelist @ Postman · API Governance Lead @ Bloomberg · Chief Community Officer @ API Evangelist
Technology, business, and politics of APIs @ API Evangelist since 2010 → API producer mindset → API standardization → API discovery → Chief Evangelist @ Postman and Host of Breaking Changes Podcast → API consumer mindset → OpenAPI, AsyncAPI, JSON Schema → A focus on product-led API governance → API Governance Lead @ Bloomberg → API Evangelist → AI integration
02 / 09

What is API Governance, Really?

OpenAPI · AsyncAPI · JSON Schema Spectral Rules · Vacuum Rules VSCode · IntelliJ Git · CI/CD Pipelines API Gateway
Design Guides → OpenAPI → AsyncAPI → JSON Schema → Spectral or Vacuum rules → Linting → CLI → Editors → IDE → Git → CI/CD pipelines → Gateways → Platforms → Portals → Catalogs → Teams → Domains → Lines of Business → Products → Sales → Support → Customers → Feedback Loops
03 / 09

36 APIs · 405 Operations · One Governed Interface

{
  "$schema": "https://www.krakend.io/schema/v2.7/krakend.json",
  "version": 3,
  "name": "security-ops",
  "endpoints": [
    {
      "endpoint": "/address-objects",
      "method": "GET",
      "backend": [
        {
          "host": ["https://fw.corp"],
          "url_pattern":
            "/restapi/v10.2/Objects/Addresses",
          "extra_config": {
            "auth/api-key": {
              "header": "X-PAN-KEY",
              "value": "{{env \"PANOS_KEY\"}}"
            }
          }
        }
      ]
    },
KrakenD API Gateway — Rate Limiting · Auth · Routing · Aggregation 
    {
      "endpoint": "/alerts",
      "method": "GET",
      "extra_config": {
        "qos/ratelimit/router": {
          "max_rate": 100,
          "client_max_rate": 10
        }
      },
      "backend": [
        {
          "host": ["https://api.prismacloud.io"],
          "url_pattern": "/iam/v1/alerts",
          "extra_config": {
            "auth/api-key": {
              "header": "Authorization",
              "value": "Bearer {{env \"PRISMA_TOKEN\"}}"
            }
          }
        }
      ]
    }
  ]
}
KrakenD → Endpoints → Backends → Auth Enforcement → Rate Limiting → Transformation → Aggregation → Observability → Compliance
04 / 09

Consumer Needs · Multiple API Providers · KrakenD

{
  "$schema": "https://www.krakend.io/schema/v2.7/krakend.json",
  "version": 3,
  "name": "security-ops",
  "endpoints": [
    {
      "endpoint": "/address-objects",
      "method": "GET",
      "backend": [{
        "host": ["https://fw.corp"],
        "url_pattern":
          "/restapi/v10.2/Objects/Addresses"
      }]
    },
    {
      "endpoint": "/alerts",
      "method": "GET",
      "backend": [{
        "host": ["https://api.prismacloud.io"],
        "url_pattern": "/iam/v1/alerts"
      }]
    },
    {
      "endpoint": "/users",
      "method": "GET",
      "backend": [{
        "host": ["https://tenant.okta.com"],
        "url_pattern": "/api/v1/users"
      }]
    },
KrakenD API Gateway — Rate Limiting · Auth · Routing · Aggregation 
# spectral.krakend.yml
rules:
  endpoint-rate-limit:
    message: "Rate limit required"
    given: "$.endpoints[*]"
    severity: error
    then:
      field: "extra_config[qos/ratelimit/router]"
      function: defined

  endpoint-auth:
    message: "Auth required"
    given: "$.endpoints[*]"
    severity: error
    then:
      field: "extra_config[auth/validator]"
      function: defined
build time · run time
    {
      "endpoint": "/security-summary",
      "method": "GET",
      "extra_config": {
        "qos/ratelimit/router": {
          "max_rate": 50,
          "client_max_rate": 5
        }
      },
      "backend": [
        {
          "host": ["https://fw.corp"],
          "url_pattern":
            "/restapi/v10.2/Objects/Addresses",
          "group": "network"
        },
        {
          "host": ["https://api.prismacloud.io"],
          "url_pattern": "/iam/v1/alerts",
          "group": "alerts"
        },
        {
          "host": ["https://tenant.okta.com"],
          "url_pattern": "/api/v1/users",
          "group": "users"
        }
      ]
    }
  ]
}
KrakenD → Multi-Backend Aggregation → Unified Endpoint → Rate Limiting → Auth per Backend → Response Merging → One Governed Interface
05 / 09

GraphQL — Typed Schema at the Consumption Layer

GraphQL 
{
  "__schema": {
    "queryType": { "name": "Query" },
    "types": [
      {
        "name": "Query",
        "fields": [
          { "name": "addressObjects",
            "type": { "name": "AddressObject" } },
          { "name": "alerts",
            "type": { "name": "Alert" } },
          { "name": "users",
            "type": { "name": "User" } }
        ]
      },
      {
        "name": "AddressObject",
        "fields": [
          { "name": "name", "type": { "name": "String" } },
          { "name": "ip",   "type": { "name": "String" } },
          { "name": "type", "type": { "name": "String" } }
        ]
      }
    ]
  }
}
{
  "data": {
    "addressObjects": [
      {
        "name": "corp-subnet",
        "ip": "10.0.0.0/8",
        "type": "ip-netmask"
      }
    ],
    "alerts": [
      {
        "id": "ALT-001",
        "severity": "high",
        "status": "open"
      }
    ],
    "users": [
      {
        "id": "U-123",
        "email": "[email protected]",
        "role": "admin"
      }
    ]
  }
}
GraphQL → Typed Schema → Single Endpoint → Query Shape → Field-Level Governance → Introspection → Consumer-Defined Queries → Aggregated Response
06 / 09

MCP — Model Context Protocol for AI Agents

MCP 
{
  "tools": [
    {
      "name": "list_address_objects",
      "description":
        "List firewall address objects",
      "inputSchema": {
        "type": "object",
        "properties": {
          "type": {
            "type": "string",
            "enum": [
              "ip-netmask",
              "ip-range"
            ]
          }
        }
      }
    },
    {
      "name": "list_alerts",
      "description":
        "List Prisma Cloud security alerts",
      "inputSchema": {
        "type": "object",
        "properties": {
          "severity": {
            "type": "string",
            "enum": ["high","medium","low"]
          }
        }
      }
    }
  ]
}
{
  "jsonrpc": "2.0",
  "id": 1,
  "method": "tools/call",
  "params": {
    "name": "list_alerts",
    "arguments": {
      "severity": "high"
    }
  }
}

{
  "jsonrpc": "2.0",
  "id": 1,
  "result": {
    "content": [
      {
        "type": "text",
        "text": "[{\"id\":\"ALT-001\",
  \"severity\":\"high\",
  \"status\":\"open\",
  \"resource\":\"fw.corp\"}]"
      }
    ]
  }
}
MCP → JSON-RPC 2.0 → Tool Definitions → Input Schema → Agent-Callable Operations → Governed Interface for AI → Structured Responses
07 / 09

Agent Skills — Governed, Reusable Capabilities

---
name: security-triage
description: >
  Correlate high-severity alerts
  with users and network objects
tools:
  - list_alerts
  - list_users
  - list_address_objects
governance:
  auth: required
  rate_limit: 10/min
  audit_log: true
  allowed_roles:
    - security-analyst
    - soc-operator
---
Given high-severity alerts, cross-
reference affected users and network
objects, then summarize findings.
Agent Skills 
{
  "skill": "security-triage",
  "invoke": {
    "context": "incident-2026",
    "scope": "prod"
  }
}

// → calls list_alerts(high)
// → calls list_users(active)
// → calls list_address_objects()

{
  "skill": "security-triage",
  "result": {
    "alerts": 3,
    "affected_users": 2,
    "network": ["10.0.0.0/8"],
    "summary": "2 accounts accessed
  flagged network ranges during
  3 open high-severity alerts"
  }
}
Agent Skills → Named Capability → Governed Tool Composition → Auth + Rate Limit + Audit → Reusable Across Agents → Policy Enforced at Invocation
08 / 09

Are We Governing People or Are We Governing Engine(s)

Govern people Govern the engine Govern people Govern the engine
Supply Chains → SaaS →People → Teams → Tribes → Products → Budgets → Lifecycle → Versions → Protocols → Patterns → Standards → Pipelines → Gateways → Centralization → Federation → Documentation → Portal → Sales → Support → Customers → Distribution → Regions → Regulation → Global
09 / 09

Consumer-Defined Governance

Desktop Web Mobile Copilots Agents Automation
Consumers → Desktop → Web → Mobile → Copilots → Agents → Automation → Orchestration → Compliance → Observability → Standardization → Context → Transparency → Configuration → Policies → Ephemeral → Secure → Sovereign → Regional → Open-Source → On-Premise → Cloud → Local

Govern the Consumer Layer.
Let Producers Ship What They Ship.

apievangelist.com  •  github.com/kinlane

Kin Lane  •  [email protected]

Feedback QR code