{"id":746,"date":"2026-04-15T10:17:56","date_gmt":"2026-04-15T10:17:56","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/oracle-cloud-api-platform-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-other-services\/"},"modified":"2026-04-15T10:17:56","modified_gmt":"2026-04-15T10:17:56","slug":"oracle-cloud-api-platform-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-other-services","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/oracle-cloud-api-platform-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-other-services\/","title":{"rendered":"Oracle Cloud API Platform Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Other Services"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Category<\/h2>\n\n\n\n<p>Other Services<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Introduction<\/h2>\n\n\n\n<p>Oracle Cloud <strong>API Platform<\/strong> is Oracle\u2019s API management offering designed to help teams publish, secure, monitor, and govern APIs across their organization.<\/p>\n\n\n\n<p>In simple terms: <strong>API Platform sits between your API consumers (apps, partners, developers) and your backend services<\/strong>, providing a controlled \u201cfront door\u201d where you can enforce authentication, rate limits, and policies, and where developers can discover and subscribe to APIs.<\/p>\n\n\n\n<p>Technically, API Platform typically includes a <strong>management plane<\/strong> (where APIs are defined, versioned, and published), one or more <strong>API Gateway runtimes<\/strong> (that enforce policies and route traffic to backend services), and often a <strong>developer portal\/catalog<\/strong> for onboarding and API consumption. It centralizes common cross-cutting concerns\u2014security, traffic shaping, observability, and governance\u2014so every backend team doesn\u2019t have to reinvent them.<\/p>\n\n\n\n<p>The main problem API Platform solves is the operational and security complexity of running APIs at scale: inconsistent authentication approaches, lack of visibility, unmanaged breaking changes, uncontrolled traffic spikes, and fragmented developer onboarding.<\/p>\n\n\n\n<blockquote>\n<p><strong>Important note about naming and service lifecycle:<\/strong> Oracle has historically offered <strong>Oracle API Platform Cloud Service<\/strong> (often shortened to <strong>API Platform<\/strong>). Oracle Cloud also provides <strong>OCI API Gateway<\/strong> as an OCI-native service for API exposure. Availability, onboarding, and recommended patterns can vary by account type and region. <strong>Verify the current status, availability, and recommended successor path in official Oracle documentation for your tenancy<\/strong> before standardizing on it for new projects.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">2. What is API Platform?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Official purpose<\/h3>\n\n\n\n<p>API Platform\u2019s purpose is to provide a managed way to <strong>design, publish, secure, and operate APIs<\/strong>\u2014including internal APIs, partner APIs, and public APIs\u2014using consistent policies and centralized governance.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Core capabilities (what teams use it for)<\/h3>\n\n\n\n<p>Common API Platform capabilities include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>API onboarding and publishing<\/strong>: Define APIs, publish versions, manage lifecycle states (draft\/published\/deprecated).<\/li>\n<li><strong>Runtime enforcement<\/strong>: Route requests to backend services and enforce security and traffic policies.<\/li>\n<li><strong>Consumer onboarding<\/strong>: Provide a portal\/catalog experience and\/or application registration and credentials issuance.<\/li>\n<li><strong>Analytics\/monitoring<\/strong>: Track API usage, errors, latency, and consumer activity (capabilities vary by edition and integration).<\/li>\n<li><strong>Governance<\/strong>: Standardize API design, ownership, and policy baselines.<\/li>\n<\/ul>\n\n\n\n<blockquote>\n<p>If you rely on a specific capability (for example, monetization, advanced analytics, GraphQL, or mTLS), <strong>verify in official docs<\/strong> for your API Platform edition and your Oracle Cloud environment.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Major components (conceptual)<\/h3>\n\n\n\n<p>While names and packaging can vary, API management platforms generally include:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>API Manager \/ Control plane<\/strong>\n   &#8211; Where API definitions, policies, applications, and publishing actions are managed.<\/li>\n<li><strong>API Gateway \/ Runtime plane<\/strong>\n   &#8211; One or more gateways that receive inbound traffic, validate\/authenticate, enforce policies, and proxy to backends.<\/li>\n<li><strong>Developer Portal \/ Catalog (if available)<\/strong>\n   &#8211; A place for consumers to find APIs, read docs, register apps, and obtain keys\/tokens.<\/li>\n<li><strong>Identity integration<\/strong>\n   &#8211; Typically integrates with Oracle identity services (Oracle Cloud Identity \/ IAM \/ IDCS depending on your environment) for admin access and OAuth flows.<\/li>\n<li><strong>Logging\/analytics<\/strong>\n   &#8211; Built-in or integrated dashboards for operational visibility (verify exact integration options).<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Service type<\/h3>\n\n\n\n<p>API Platform is best understood as <strong>API management (APIM)<\/strong>: policy-driven governance + runtime API gateway functionality.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Scope (regional\/global\/account-scoped)<\/h3>\n\n\n\n<p>Scope depends on how your Oracle Cloud API Platform is provisioned:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Management plane<\/strong> is typically <strong>tenant\/subscription scoped<\/strong>.<\/li>\n<li><strong>Runtime gateways<\/strong> can be deployed in one or more network zones and may support multiple environments (dev\/test\/prod), depending on how Oracle provides it in your account.<\/li>\n<li>Region availability and deployment model can vary. <strong>Verify in official docs for your Oracle Cloud account type<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How it fits into the Oracle Cloud ecosystem<\/h3>\n\n\n\n<p>API Platform is commonly used alongside:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Oracle Cloud Identity \/ IAM<\/strong>: admin access control and OAuth\/OIDC integration.<\/li>\n<li><strong>Oracle Cloud Infrastructure networking<\/strong>: VCN, subnets, security lists\/NSGs, private endpoints (where applicable).<\/li>\n<li><strong>Compute \/ Kubernetes \/ Functions<\/strong>: backend services that the gateway routes to.<\/li>\n<li><strong>Observability services<\/strong>: logging\/metrics\/alarms (integration model depends on edition; verify).<\/li>\n<li><strong>WAF \/ Load Balancer<\/strong>: optional edge protection and traffic management in front of gateways.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">3. Why use API Platform?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Business reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Faster partner onboarding<\/strong>: standard way to publish APIs and issue credentials.<\/li>\n<li><strong>Reduced delivery risk<\/strong>: versioning, lifecycle controls, and consistent rollout approach.<\/li>\n<li><strong>Better productization of APIs<\/strong>: treat APIs as products with owners, contracts, and usage insights.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Technical reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Consistent security controls<\/strong> across APIs: API keys, OAuth 2.0\/OIDC, JWT validation, TLS enforcement (verify exact supported policies).<\/li>\n<li><strong>Traffic shaping<\/strong>: rate limiting\/quotas to protect backends.<\/li>\n<li><strong>Central policy enforcement<\/strong>: headers, CORS policies, request\/response transformations (verify).<\/li>\n<li><strong>Decoupling<\/strong>: clients call stable gateway endpoints while backend services evolve.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Standardized routing layer<\/strong>: common logging, analytics, and alerting patterns.<\/li>\n<li><strong>Reduced operational overhead<\/strong> compared to building custom gateways per team.<\/li>\n<li><strong>Central governance and inventory<\/strong>: know what APIs exist, who owns them, and who consumes them.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/compliance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Auditability<\/strong>: centralized change management and access control.<\/li>\n<li><strong>Least privilege<\/strong>: grant teams access to only their APIs and environments.<\/li>\n<li><strong>Controlled exposure<\/strong>: reduce direct internet exposure of backend services; keep backends private.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scalability\/performance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Backpressure<\/strong> via rate limiting and quotas.<\/li>\n<li><strong>Caching and optimization<\/strong> may be available depending on policies and runtime configuration (verify).<\/li>\n<li><strong>Horizontal scaling<\/strong> via multiple gateway nodes\/instances (deployment model varies).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should choose it<\/h3>\n\n\n\n<p>Choose API Platform when you need:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Multiple teams publishing APIs with consistent governance<\/li>\n<li>A developer onboarding experience (portal\/app registration)<\/li>\n<li>Security and traffic controls centralized at the edge of your services<\/li>\n<li>Clear separation between control plane (management) and data plane (runtime)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should not choose it<\/h3>\n\n\n\n<p>Consider alternatives when:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You only need a simple reverse proxy for one service (an ingress controller, NGINX, or load balancer may be simpler).<\/li>\n<li>You require a capability not supported by your API Platform edition (e.g., advanced GraphQL features, complex monetization, strict mTLS everywhere)\u2014validate first.<\/li>\n<li>You are standardizing purely on OCI-native services and your organization prefers <strong>OCI API Gateway<\/strong> for new builds (common in OCI-only footprints).<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">4. Where is API Platform used?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Industries<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Financial services (partner APIs, PSD2-like patterns, secure exposure)<\/li>\n<li>Retail and e-commerce (mobile APIs, partner integrations)<\/li>\n<li>Healthcare (controlled API access, auditing)<\/li>\n<li>Telecom (high-volume API programs, throttling)<\/li>\n<li>SaaS and ISVs (public APIs, developer onboarding)<\/li>\n<li>Manufacturing\/logistics (B2B integrations and IoT APIs)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Team types<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Platform engineering teams building internal API foundations<\/li>\n<li>Integration teams exposing ERP\/CRM data as APIs<\/li>\n<li>App teams needing secure\/public endpoints without re-implementing auth<\/li>\n<li>Security teams standardizing API controls and threat mitigation patterns<\/li>\n<li>SRE\/operations teams centralizing observability and incident response<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Workloads and architectures<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Microservices fronted by an API gateway<\/li>\n<li>Hybrid apps with on-prem backends exposed securely to cloud consumers<\/li>\n<li>Multi-environment (dev\/test\/prod) with gated promotions and versioning<\/li>\n<li>Partner ecosystems with per-partner credentials and quotas<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Deployment contexts<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Production<\/strong>: strict IAM, change controls, WAF, private backends, monitoring, rate limiting<\/li>\n<li><strong>Dev\/test<\/strong>: low-cost gateway footprints, relaxed quotas, synthetic tests, rapid iteration<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">5. Top Use Cases and Scenarios<\/h2>\n\n\n\n<p>Below are realistic scenarios where API Platform is commonly used.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) Central API gateway for microservices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Each microservice team exposes endpoints differently, leading to inconsistent auth, logging, and rate limits.<\/li>\n<li><strong>Why API Platform fits:<\/strong> Centralizes security and traffic policies at a shared entry point.<\/li>\n<li><strong>Example:<\/strong> An OKE-based microservices stack is exposed through API Platform gateways with standardized JWT validation and per-route throttles.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Partner API program with onboarding controls<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Partners need access, but credentialing and quota management are manual and inconsistent.<\/li>\n<li><strong>Why it fits:<\/strong> Provides application registration and policy-based quotas (verify policy names\/features).<\/li>\n<li><strong>Example:<\/strong> A logistics company publishes \u201cShipment Tracking API\u201d to partners, issuing keys and enforcing partner-specific quotas.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Securely expose on-prem services to cloud\/mobile apps<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> On-prem services are not safe to expose directly and lack modern auth.<\/li>\n<li><strong>Why it fits:<\/strong> Gateways can front legacy services and enforce modern authentication.<\/li>\n<li><strong>Example:<\/strong> A bank exposes a legacy SOAP\/REST facade through API Platform, enforcing OAuth and TLS.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) API lifecycle governance and versioning<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Breaking changes are pushed without warning; consumers are surprised.<\/li>\n<li><strong>Why it fits:<\/strong> Supports API versioning and lifecycle controls (verify implementation details).<\/li>\n<li><strong>Example:<\/strong> v1 remains supported while v2 is published; consumers migrate over 90 days.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) Rate limiting to protect fragile backends<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Spikes from mobile clients overload downstream databases.<\/li>\n<li><strong>Why it fits:<\/strong> Enforces rate limits\/quotas at the gateway before traffic hits backends.<\/li>\n<li><strong>Example:<\/strong> \u201cSearch API\u201d is limited to 50 requests\/minute per app key.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) Unified authentication for many APIs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Some APIs use API keys, others basic auth, others custom tokens.<\/li>\n<li><strong>Why it fits:<\/strong> Standardizes access via OAuth2\/OIDC and\/or API keys (verify supported methods).<\/li>\n<li><strong>Example:<\/strong> All APIs require JWT access tokens issued by Oracle identity service; legacy key-based APIs are phased out.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Observability for API operations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Hard to answer \u201cwho is calling what, and why are they failing?\u201d<\/li>\n<li><strong>Why it fits:<\/strong> Central capture of metrics\/logs and consumer usage analytics.<\/li>\n<li><strong>Example:<\/strong> SRE uses gateway logs\/analytics to identify a single partner causing elevated 429 responses.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Blue\/green API backend migrations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Backend services must be migrated without changing client endpoints.<\/li>\n<li><strong>Why it fits:<\/strong> Update gateway routing to new backend with minimal client impact.<\/li>\n<li><strong>Example:<\/strong> Route 10% of traffic to new service; then 100% after validation (if supported; otherwise change via deployment workflow).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) API catalog for internal developers<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Teams don\u2019t know which APIs exist; duplication occurs.<\/li>\n<li><strong>Why it fits:<\/strong> A portal\/catalog improves discoverability and reuse.<\/li>\n<li><strong>Example:<\/strong> Internal platform publishes HR and Finance APIs; teams self-serve documentation and credentials.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">10) Enforcing compliance policies (headers, TLS, allowed methods)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Regulatory requirements demand consistent TLS and request handling.<\/li>\n<li><strong>Why it fits:<\/strong> Policy enforcement at the gateway reduces per-service compliance work.<\/li>\n<li><strong>Example:<\/strong> All APIs enforce TLS and reject insecure cipher suites (where configurable; verify).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">11) Multi-tenant SaaS API separation<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Tenant isolation must be enforced consistently.<\/li>\n<li><strong>Why it fits:<\/strong> Gateway policies can validate tenant claims and apply tenant-specific limits.<\/li>\n<li><strong>Example:<\/strong> Tenant ID in JWT is validated; requests without required claim are rejected.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">12) Controlled public APIs with WAF in front<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Public APIs are subject to scanning, abuse, and OWASP API threats.<\/li>\n<li><strong>Why it fits:<\/strong> API Platform gateway enforces auth\/rate limits; WAF adds additional edge protection.<\/li>\n<li><strong>Example:<\/strong> OCI WAF blocks suspicious patterns; gateway returns 401\/429 for unauthorized\/abusive clients.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">6. Core Features<\/h2>\n\n\n\n<blockquote>\n<p>Exact feature availability can vary by edition and Oracle Cloud environment. For critical requirements, <strong>verify in official docs<\/strong> for your API Platform deployment.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">API definition onboarding (OpenAPI\/Swagger and\/or RAML)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Lets you define an API contract and publish it through the platform.<\/li>\n<li><strong>Why it matters:<\/strong> Contracts make APIs predictable and versionable.<\/li>\n<li><strong>Practical benefit:<\/strong> Consumers can generate clients; platform can map routes and policies consistently.<\/li>\n<li><strong>Caveats:<\/strong> Supported spec versions and import\/export behavior vary\u2014verify supported OpenAPI versions.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">API lifecycle management (versions, states)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Supports publishing versions and managing lifecycle (draft\/published\/deprecated).<\/li>\n<li><strong>Why it matters:<\/strong> Prevents breaking changes and unmanaged API sprawl.<\/li>\n<li><strong>Benefit:<\/strong> Safer upgrades; clearer ownership.<\/li>\n<li><strong>Caveats:<\/strong> Deprecation workflows differ by product\/version.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Policy enforcement at the gateway<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Applies policies like authentication, authorization, throttling, header enforcement, and more.<\/li>\n<li><strong>Why it matters:<\/strong> Centralizes cross-cutting requirements.<\/li>\n<li><strong>Benefit:<\/strong> Backends can focus on business logic.<\/li>\n<li><strong>Caveats:<\/strong> Policy catalog varies; some transformations may be limited.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Authentication and authorization integration<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Integrates with Oracle identity services and supports common API auth patterns (API keys, OAuth2\/OIDC\/JWT validation\u2014verify).<\/li>\n<li><strong>Why it matters:<\/strong> Strong, standardized identity is the foundation of secure APIs.<\/li>\n<li><strong>Benefit:<\/strong> Reduced custom auth code and fewer security gaps.<\/li>\n<li><strong>Caveats:<\/strong> Token formats, claim mapping, and identity provider setup must be validated in docs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Application registration and consumer management<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Allows creation of \u201capplications\u201d that receive credentials and subscribe to APIs.<\/li>\n<li><strong>Why it matters:<\/strong> Enables per-consumer quotas and auditing.<\/li>\n<li><strong>Benefit:<\/strong> You can identify abusive consumers and rotate credentials.<\/li>\n<li><strong>Caveats:<\/strong> The portal experience and self-service options vary.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Developer portal \/ API catalog (if available)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Documents APIs and enables discovery and onboarding.<\/li>\n<li><strong>Why it matters:<\/strong> Reduces friction and support load.<\/li>\n<li><strong>Benefit:<\/strong> Self-service access to docs, keys, sample calls.<\/li>\n<li><strong>Caveats:<\/strong> Branding, customization, and workflow vary.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Analytics and reporting<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Tracks usage, latency, error rates, and consumer activity.<\/li>\n<li><strong>Why it matters:<\/strong> Helps with troubleshooting, capacity planning, and product decisions.<\/li>\n<li><strong>Benefit:<\/strong> Identify top endpoints, failure patterns, and performance bottlenecks.<\/li>\n<li><strong>Caveats:<\/strong> Retention, granularity, and export options vary; verify.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Environment separation (dev\/test\/prod)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Supports separate gateways and\/or configurations per environment.<\/li>\n<li><strong>Why it matters:<\/strong> Prevents test changes from impacting production.<\/li>\n<li><strong>Benefit:<\/strong> Controlled promotions and safer releases.<\/li>\n<li><strong>Caveats:<\/strong> How environments are modeled is product\/version specific.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Gateway deployment flexibility (cloud and\/or on-prem)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Allows gateway runtime placement close to backends or within required network zones.<\/li>\n<li><strong>Why it matters:<\/strong> Hybrid architectures are common.<\/li>\n<li><strong>Benefit:<\/strong> Keep sensitive backends private while still offering secure APIs.<\/li>\n<li><strong>Caveats:<\/strong> Installation model, sizing, and HA options depend on your offering; verify.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">TLS termination and certificate management<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Terminates TLS at the gateway; manages server certificates.<\/li>\n<li><strong>Why it matters:<\/strong> Secure transport is mandatory for production APIs.<\/li>\n<li><strong>Benefit:<\/strong> Central certificate lifecycle rather than per-service.<\/li>\n<li><strong>Caveats:<\/strong> mTLS support and certificate automation vary.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">7. Architecture and How It Works<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">High-level architecture<\/h3>\n\n\n\n<p>API Platform generally uses a <strong>control plane \/ data plane<\/strong> model:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Control plane (management):<\/strong> admins define APIs, policies, and publish them.<\/li>\n<li><strong>Data plane (runtime gateways):<\/strong> gateways receive traffic, enforce policies, then route to backend services.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Request flow (data plane)<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Client calls an API endpoint hosted by API Platform Gateway.<\/li>\n<li>Gateway validates TLS, checks authentication (API key \/ OAuth token), and evaluates policies (rate limit, allowed methods, etc.).<\/li>\n<li>Gateway forwards the request to the configured backend endpoint (private or public).<\/li>\n<li>Gateway returns the backend response to the client (optionally applying response policies).<\/li>\n<li>Logs\/metrics are produced for operations and analytics (implementation varies).<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Control flow (management plane)<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>API owner uploads\/creates API definition.<\/li>\n<li>API owner configures policies and backend mapping.<\/li>\n<li>API is published to gateway(s) and optionally to a developer portal\/catalog.<\/li>\n<li>Consumers register apps and receive credentials.<\/li>\n<li>Operations monitors usage and adjusts policies as needed.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Integrations with related services<\/h3>\n\n\n\n<p>Common integrations in Oracle Cloud environments include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Identity:<\/strong> Oracle Cloud Identity \/ IAM (and in some environments Oracle Identity Cloud Service).<\/li>\n<li><strong>Networking:<\/strong> VCN, subnets, NSGs, security lists, DRG\/VPN\/FastConnect for hybrid.<\/li>\n<li><strong>Edge security:<\/strong> OCI WAF (optional) in front of gateways.<\/li>\n<li><strong>Backend hosting:<\/strong> OCI Compute, OKE (Kubernetes), Functions, Integration services.<\/li>\n<li><strong>Observability:<\/strong> OCI Logging\/Monitoring or built-in analytics (depends on edition; verify).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/authentication model (typical)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Admin access<\/strong>: controlled via identity groups\/roles (service admin, API owner, viewer).<\/li>\n<li><strong>Consumer access<\/strong>: API key and\/or OAuth 2.0 access tokens; gateway validates credentials and enforces authorization policies.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Networking model (typical)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Gateways sit in front of backends.<\/li>\n<li>For production, backends should be private where possible; gateway has network route to backends.<\/li>\n<li>Public exposure can be limited to the gateway endpoint (and optionally WAF\/LB).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Decide early: what logs are needed (access logs, auth failures, latency, backend errors).<\/li>\n<li>Define SLOs: availability, p95 latency, error rate.<\/li>\n<li>Establish governance: naming standards, tags, ownership metadata, deprecation policy, change approvals.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Simple architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart LR\n  A[API Consumer&lt;br\/&gt;(App \/ Partner \/ Developer)] --&gt;|HTTPS| G[API Platform Gateway]\n  G --&gt;|Policy enforcement&lt;br\/&gt;Auth + Rate limit| B[Backend API Service]\n  M[API Platform Manager&lt;br\/&gt;(Control plane)] --&gt;|Publish APIs\/Policies| G\n  P[Developer Portal \/ Catalog] --&gt;|Discover &amp; Subscribe| A\n  M --&gt; P\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Production-style architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart TB\n  subgraph Internet\n    C[Consumers&lt;br\/&gt;Mobile \/ Web \/ Partners]\n  end\n\n  subgraph Edge[\"Edge (Public Subnet)\"]\n    WAF[OCI WAF&lt;br\/&gt;(optional)]\n    LB[Load Balancer&lt;br\/&gt;(optional)]\n  end\n\n  subgraph GatewayZone[\"API Platform Gateway Tier\"]\n    G1[Gateway Node A]\n    G2[Gateway Node B]\n  end\n\n  subgraph Backends[\"Private Backends (VCN \/ On-Prem)\"]\n    OKE[OKE Microservices]\n    VM[Compute VM API]\n    ONP[On-Prem APIs&lt;br\/&gt;via VPN\/DRG]\n  end\n\n  subgraph ControlPlane[\"Control Plane\"]\n    MGR[API Platform Manager]\n    ID[Oracle Identity&lt;br\/&gt;(IAM\/Identity)]\n    OBS[Logging\/Monitoring&lt;br\/&gt;(varies by edition)]\n  end\n\n  C --&gt;|HTTPS| WAF --&gt; LB --&gt; G1\n  LB --&gt; G2\n  G1 --&gt;|HTTPS\/Private| OKE\n  G1 --&gt; VM\n  G2 --&gt;|DRG\/VPN| ONP\n\n  MGR --&gt;|Config &amp; Publish| G1\n  MGR --&gt;|Config &amp; Publish| G2\n  ID --&gt;|Admin auth \/ OAuth config| MGR\n  G1 --&gt; OBS\n  G2 --&gt; OBS\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">8. Prerequisites<\/h2>\n\n\n\n<p>Because Oracle Cloud \u201cAPI Platform\u201d availability and onboarding can vary by account type, confirm prerequisites in official docs first.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Account\/tenancy requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An Oracle Cloud account\/tenancy with access to <strong>API Platform<\/strong> (or Oracle API Platform Cloud Service).<\/li>\n<li>If API Platform is not available for new provisioning in your environment, consider using <strong>OCI API Gateway<\/strong> and treat this guide as conceptual plus migration guidance (verify Oracle\u2019s current recommendation).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Permissions \/ IAM roles<\/h3>\n\n\n\n<p>You typically need:\n&#8211; <strong>Service admin<\/strong> privileges for API Platform\n&#8211; Ability to manage:\n  &#8211; gateways \/ deployments\n  &#8211; API definitions and policies\n  &#8211; applications\/consumers\n&#8211; Identity admin privileges may be required to configure OAuth clients\/groups (depending on integration).<\/p>\n\n\n\n<blockquote>\n<p>Exact role names differ by Oracle Cloud environment. <strong>Verify required roles in the official documentation for your API Platform edition.<\/strong><\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Billing requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>API Platform is generally a paid service (subscription or consumption). Ensure billing is enabled.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Tools<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>curl<\/code> (or Postman) for testing<\/li>\n<li>A text editor (VS Code)<\/li>\n<li>Optional: OpenAPI tooling (<code>swagger-cli<\/code>, <code>openapi-generator<\/code>) for validation<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Region availability<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Region availability and provisioning model depend on your Oracle Cloud subscription type. <strong>Verify in official docs and your console<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas\/limits<\/h3>\n\n\n\n<p>Common limits to check (varies):\n&#8211; Number of gateways\/nodes\n&#8211; Max request size \/ timeout\n&#8211; Rate limit ceilings\n&#8211; Number of APIs and versions\n&#8211; Analytics retention<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Prerequisite services for the lab<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A reachable backend endpoint (we\u2019ll build a simple \u201chello\u201d API)<\/li>\n<li>Network access from gateway to backend (VCN routing\/security rules as needed)<\/li>\n<li>DNS name and TLS certificate for production-style exposure (optional for lab)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">9. Pricing \/ Cost<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing model (how you are billed)<\/h3>\n\n\n\n<p>Oracle pricing for API Platform depends on the exact offering (for example, Oracle API Platform Cloud Service vs OCI-native gateway services). Pricing may be:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Subscription-based<\/strong> (monthly) and\/or<\/li>\n<li><strong>Usage-based<\/strong> (requests\/messages, gateway capacity, environments)<\/li>\n<\/ul>\n\n\n\n<p>Because Oracle pricing and SKUs can change and can be region- and contract-dependent, <strong>do not rely on estimates without checking official sources<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing dimensions to look for<\/h3>\n\n\n\n<p>When reviewing Oracle\u2019s official pricing, look for dimensions such as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Gateway runtime capacity (nodes\/instances, OCPU, or equivalent)<\/li>\n<li>API calls (requests\/messages) per period<\/li>\n<li>Environments (dev\/test\/prod) and included quotas<\/li>\n<li>Analytics retention and log export costs (if applicable)<\/li>\n<li>Optional add-ons (WAF, Load Balancer, private connectivity)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Free tier<\/h3>\n\n\n\n<p>Oracle Cloud Free Tier commonly covers certain OCI services (compute\/networking), but <strong>API Platform itself may not be part of Free Tier<\/strong>. Verify in:\n&#8211; Oracle Cloud Free Tier overview: https:\/\/www.oracle.com\/cloud\/free\/<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Cost drivers (direct and indirect)<\/h3>\n\n\n\n<p><strong>Direct<\/strong>\n&#8211; API Platform subscription or metered usage\n&#8211; Number of gateway nodes\/instances\n&#8211; Traffic volume (API calls)\n&#8211; Advanced features (analytics, portal) if priced separately<\/p>\n\n\n\n<p><strong>Indirect<\/strong>\n&#8211; Data egress charges (internet outbound) depending on traffic patterns\n&#8211; OCI Load Balancer and WAF costs (if used)\n&#8211; Logging\/monitoring storage and retention\n&#8211; Backend compute\/OKE\/database costs\n&#8211; Private connectivity (VPN\/FastConnect) for hybrid backends<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Network\/data transfer implications<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Inbound internet traffic is usually not charged; outbound (egress) often is.<\/li>\n<li>If consumers are internet-based and responses are large, egress can become a major cost driver.<\/li>\n<li>If backends are on-prem via VPN, consider bandwidth and availability costs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How to optimize cost<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Right-size gateway footprint for real traffic<\/li>\n<li>Use rate limits and quotas to reduce abuse-driven costs<\/li>\n<li>Minimize large response payloads (pagination\/compression where supported)<\/li>\n<li>Set appropriate log retention; export only required fields<\/li>\n<li>Use WAF strategically (block abusive traffic early)<\/li>\n<li>Separate dev\/test with smaller capacity and lower retention<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Example low-cost starter estimate (method, not numbers)<\/h3>\n\n\n\n<p>A realistic way to estimate a starter environment:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Identify minimum gateway footprint for dev (1 gateway node\/instance if allowed).<\/li>\n<li>Estimate monthly calls (e.g., 1\u20135 million calls\/month for a small internal API program).<\/li>\n<li>Add optional edge components:\n   &#8211; Load balancer (if required)\n   &#8211; WAF (if public)<\/li>\n<li>Add observability costs:\n   &#8211; log ingestion volume (requests\/day \u00d7 log size)\n   &#8211; retention (days)<\/li>\n<\/ol>\n\n\n\n<p>Then validate in Oracle\u2019s pricing pages and calculator.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Example production cost considerations<\/h3>\n\n\n\n<p>For production, plan for:\n&#8211; Multiple gateway nodes for HA\n&#8211; WAF + Load Balancer (typical)\n&#8211; Higher log\/metrics volume and retention\n&#8211; Separate environments and CI\/CD pipelines\n&#8211; Private connectivity (DRG\/VPN\/FastConnect) if hybrid<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Official pricing sources (start here)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Oracle Cloud pricing page: https:\/\/www.oracle.com\/cloud\/pricing\/<\/li>\n<li>Oracle Cloud price list: https:\/\/www.oracle.com\/cloud\/price-list\/<\/li>\n<li>Oracle Cloud cost estimator\/calculator (if applicable for your offering): https:\/\/www.oracle.com\/cloud\/costestimator.html<\/li>\n<\/ul>\n\n\n\n<blockquote>\n<p>For the exact \u201cAPI Platform\u201d SKU, search within the official price list for \u201cAPI Platform\u201d or \u201cAPI Platform Cloud Service\u201d, and <strong>verify current SKUs and metering units<\/strong>.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n<p>This lab focuses on a small, safe, low-cost workflow: <strong>publish a simple backend API through Oracle Cloud API Platform<\/strong>, secure it with an application credential (API key or similar, depending on what your API Platform edition supports), and test access.<\/p>\n\n\n\n<p>Because API Platform provisioning and UI flows can vary by Oracle Cloud environment, this tutorial uses a <strong>hybrid approach<\/strong>:\n&#8211; Steps that are consistent and executable everywhere: building the backend and testing with <code>curl<\/code>\n&#8211; Steps that depend on your API Platform console: kept explicit but not overly UI-specific, with checkpoints and verification guidance<\/p>\n\n\n\n<p>If you cannot provision API Platform in your tenancy, use this lab as a conceptual guide and <strong>verify Oracle\u2019s recommended OCI-native alternative<\/strong> (often OCI API Gateway) in official docs.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Objective<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Deploy a small backend \u201cHello API\u201d service.<\/li>\n<li>Register the backend in API Platform.<\/li>\n<li>Publish an API via the API Platform Gateway.<\/li>\n<li>Create an application\/consumer and obtain credentials.<\/li>\n<li>Call the API through the gateway endpoint and confirm policy enforcement.<\/li>\n<li>Clean up resources.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Lab Overview<\/h3>\n\n\n\n<p>You will build:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A backend HTTP API (<code>\/hello<\/code>) running on a small VM (or any reachable endpoint you control).<\/li>\n<li>An API in API Platform that proxies <code>\/hello<\/code> through the gateway.<\/li>\n<li>An application registration that gets credentials.<\/li>\n<li>A test call via <code>curl<\/code>.<\/li>\n<\/ul>\n\n\n\n<p><strong>Expected outcome:<\/strong> You can successfully call <code>https:\/\/&lt;gateway-host&gt;\/hello<\/code> and receive JSON, and unauthorized calls fail with an auth error (401\/403) or policy rejection.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Create a backend \u201cHello API\u201d service (Compute VM)<\/h3>\n\n\n\n<p>You need a backend endpoint reachable from the API Platform Gateway.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Option A (recommended for broad compatibility): OCI Compute VM + Python Flask<\/h4>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Create a small Linux VM in Oracle Cloud Infrastructure (Free Tier eligible shapes may be available; verify in your region).<\/li>\n<li>Allow inbound TCP <code>8080<\/code> <strong>from the gateway network only<\/strong> (for production). For a lab, you may temporarily allow from your IP.<\/li>\n<\/ol>\n\n\n\n<p>On the VM, install Python and run a tiny API:<\/p>\n\n\n\n<pre><code class=\"language-bash\">sudo apt-get update\nsudo apt-get install -y python3 python3-pip\npip3 install flask\n<\/code><\/pre>\n\n\n\n<p>Create <code>app.py<\/code>:<\/p>\n\n\n\n<pre><code class=\"language-python\">from flask import Flask, jsonify, request\n\napp = Flask(__name__)\n\n@app.get(\"\/hello\")\ndef hello():\n    return jsonify({\n        \"message\": \"Hello from backend\",\n        \"client_ip\": request.remote_addr\n    })\n\n@app.get(\"\/health\")\ndef health():\n    return jsonify({\"status\": \"ok\"})\n\nif __name__ == \"__main__\":\n    # Listen on all interfaces so the gateway can reach it\n    app.run(host=\"0.0.0.0\", port=8080)\n<\/code><\/pre>\n\n\n\n<p>Run it:<\/p>\n\n\n\n<pre><code class=\"language-bash\">python3 app.py\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> The backend is listening on <code>http:\/\/&lt;vm-private-or-public-ip&gt;:8080<\/code>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Verify backend locally<\/h4>\n\n\n\n<p>From your laptop (if reachable):<\/p>\n\n\n\n<pre><code class=\"language-bash\">curl -s http:\/\/&lt;BACKEND_HOST&gt;:8080\/hello | jq .\n<\/code><\/pre>\n\n\n\n<p>If you don\u2019t have <code>jq<\/code>:<\/p>\n\n\n\n<pre><code class=\"language-bash\">curl -s http:\/\/&lt;BACKEND_HOST&gt;:8080\/hello\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> JSON with <code>message: \"Hello from backend\"<\/code>.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Prepare an OpenAPI definition (API contract)<\/h3>\n\n\n\n<p>Create <code>hello-openapi.yaml<\/code> locally:<\/p>\n\n\n\n<pre><code class=\"language-text\">openapi: 3.0.3\ninfo:\n  title: Hello API\n  version: 1.0.0\nservers:\n  - url: https:\/\/example.invalid\npaths:\n  \/hello:\n    get:\n      summary: Returns a hello message\n      responses:\n        \"200\":\n          description: OK\n          content:\n            application\/json:\n              schema:\n                type: object\n                properties:\n                  message:\n                    type: string\n                  client_ip:\n                    type: string\n  \/health:\n    get:\n      summary: Health endpoint\n      responses:\n        \"200\":\n          description: OK\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> You have a minimal API contract to import into API Platform (or use as documentation).<\/p>\n\n\n\n<blockquote>\n<p>Some API management products require a specific OpenAPI version or additional vendor extensions. If import fails, <strong>verify supported OpenAPI versions and import requirements<\/strong> in official API Platform docs.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Create\/register the backend in API Platform<\/h3>\n\n\n\n<p>In your API Platform console:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Navigate to the section for <strong>Backends \/ Services \/ Implementations<\/strong> (naming varies).<\/li>\n<li>Create a backend\/service with:\n   &#8211; <strong>Name:<\/strong> <code>hello-backend<\/code>\n   &#8211; <strong>Base URL:<\/strong> <code>http:\/\/&lt;BACKEND_HOST&gt;:8080<\/code>\n   &#8211; <strong>Health URL (optional):<\/strong> <code>\/health<\/code><\/li>\n<li>Save.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> API Platform has a registered backend endpoint.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Verification checkpoint<\/h4>\n\n\n\n<p>Most platforms provide a \u201ctest connection\u201d or \u201ctry it\u201d for backends. If available:\n&#8211; Run a test call to <code>\/health<\/code>.\n&#8211; Confirm you get <code>200 OK<\/code>.<\/p>\n\n\n\n<p>If there is no backend test tool, proceed and validate after gateway deployment.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Create an API in API Platform and attach policies<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <strong>APIs<\/strong> and create a new API:\n   &#8211; <strong>Name:<\/strong> <code>hello-api<\/code>\n   &#8211; <strong>Version:<\/strong> <code>1.0<\/code><\/li>\n<li>Import the <code>hello-openapi.yaml<\/code> (if supported) or manually create resources\/routes:\n   &#8211; Route: <code>GET \/hello<\/code> \u2192 backend <code>hello-backend<\/code> \u2192 <code>\/hello<\/code><\/li>\n<li>\n<p>Add security policy:\n   &#8211; Choose <strong>API Key<\/strong> or <strong>OAuth 2.0\/OIDC<\/strong> depending on what your API Platform edition supports.\n   &#8211; For a beginner lab, API key is often simplest.<\/p>\n<\/li>\n<li>\n<p>Add a basic traffic policy (optional but recommended):\n   &#8211; Rate limit, e.g., 60 requests\/min per application (if supported).<\/p>\n<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> The API is defined with at least one route and an authentication requirement.<\/p>\n\n\n\n<blockquote>\n<p>If you do not see API key or OAuth policies, your edition may have different features. <strong>Verify policy catalog in official docs<\/strong> and adapt accordingly.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5: Deploy\/publish the API to an API Platform Gateway<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Ensure you have at least one <strong>Gateway<\/strong> available and running.<\/li>\n<li>Select your API (<code>hello-api<\/code>) and choose <strong>Deploy\/Publish<\/strong> to a gateway\/environment:\n   &#8211; Environment: <code>dev<\/code> (or your non-prod environment)\n   &#8211; Gateway: select a gateway instance<\/li>\n<li>Confirm deployment.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> The gateway receives configuration and exposes an endpoint for your API.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Capture the gateway URL<\/h4>\n\n\n\n<p>You should end up with something like:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>https:\/\/&lt;gateway-hostname&gt;\/hello<\/code><br\/>\nor<\/li>\n<li><code>https:\/\/&lt;gateway-hostname&gt;\/&lt;basepath&gt;\/hello<\/code><\/li>\n<\/ul>\n\n\n\n<p>Record:\n&#8211; <strong>Gateway base URL<\/strong>\n&#8211; <strong>Base path<\/strong> (if applicable)<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 6: Create an application\/consumer and subscribe to the API<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Navigate to <strong>Applications \/ Consumers \/ Subscriptions<\/strong> (naming varies).<\/li>\n<li>Create an application:\n   &#8211; <strong>Name:<\/strong> <code>hello-client<\/code><\/li>\n<li>Subscribe the application to <code>hello-api<\/code> (if subscription is required by your platform model).<\/li>\n<li>Obtain the credentials:\n   &#8211; API key, client ID\/secret, or other token credentials<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> You have credentials to call the API through the gateway.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 7: Call the API through the gateway<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Test 1: Unauthorized call (should fail)<\/h4>\n\n\n\n<pre><code class=\"language-bash\">curl -i https:\/\/&lt;GATEWAY_HOST&gt;&lt;BASE_PATH&gt;\/hello\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> A 401\/403 (or policy rejection). The exact status code depends on policy configuration.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Test 2: Authorized call (should succeed)<\/h4>\n\n\n\n<p>If using an API key header (example header name; verify in your platform):<\/p>\n\n\n\n<pre><code class=\"language-bash\">curl -s -H \"X-API-Key: &lt;YOUR_API_KEY&gt;\" \\\n  https:\/\/&lt;GATEWAY_HOST&gt;&lt;BASE_PATH&gt;\/hello\n<\/code><\/pre>\n\n\n\n<p>If your platform uses another header name or query parameter for API keys, use that method as documented by your API Platform console.<\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong> <code>200 OK<\/code> and JSON response from your backend.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Validation<\/h3>\n\n\n\n<p>Use this checklist:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Backend works directly:<\/li>\n<li><code>curl http:\/\/&lt;BACKEND_HOST&gt;:8080\/hello<\/code> returns JSON<\/li>\n<li>Gateway is reachable:<\/li>\n<li><code>curl -i https:\/\/&lt;GATEWAY_HOST&gt;&lt;BASE_PATH&gt;\/health<\/code> (if exposed)<\/li>\n<li>Unauthorized call fails:<\/li>\n<li>returns 401\/403 (or policy error)<\/li>\n<li>Authorized call succeeds:<\/li>\n<li>returns <code>200 OK<\/code><\/li>\n<li>Rate limit (if configured) works:<\/li>\n<li>repeated calls eventually return 429 (if enabled)<\/li>\n<\/ul>\n\n\n\n<p>A simple load test (be gentle in shared environments):<\/p>\n\n\n\n<pre><code class=\"language-bash\">for i in $(seq 1 20); do\n  curl -s -o \/dev\/null -w \"%{http_code}\\n\" \\\n    -H \"X-API-Key: &lt;YOUR_API_KEY&gt;\" \\\n    https:\/\/&lt;GATEWAY_HOST&gt;&lt;BASE_PATH&gt;\/hello\ndone\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Troubleshooting<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">1) Gateway returns 502\/504<\/h4>\n\n\n\n<p><strong>Likely causes<\/strong>\n&#8211; Backend not reachable from gateway network\n&#8211; Wrong backend URL\/port\n&#8211; Backend firewall blocks gateway\n&#8211; Timeout too low<\/p>\n\n\n\n<p><strong>Fix<\/strong>\n&#8211; Verify backend is listening on <code>0.0.0.0:8080<\/code>\n&#8211; Check VCN security rules\/NSGs to allow gateway-to-backend traffic\n&#8211; Confirm backend URL in API Platform matches reachable address (private IP vs public IP)<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">2) Unauthorized even with API key<\/h4>\n\n\n\n<p><strong>Likely causes<\/strong>\n&#8211; Wrong header name or credential type\n&#8211; App not subscribed to the API\n&#8211; API deployed before policy changes<\/p>\n\n\n\n<p><strong>Fix<\/strong>\n&#8211; Verify the required header name and format in API Platform docs\/portal\n&#8211; Confirm subscription is active\n&#8211; Redeploy the API after policy updates<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">3) 404 Not Found on gateway URL<\/h4>\n\n\n\n<p><strong>Likely causes<\/strong>\n&#8211; Wrong base path\n&#8211; API not deployed to that gateway\/environment\n&#8211; Route not defined<\/p>\n\n\n\n<p><strong>Fix<\/strong>\n&#8211; Check deployment status in API Platform\n&#8211; Confirm the gateway endpoint and base path\n&#8211; Verify route <code>\/hello<\/code> exists and method is <code>GET<\/code><\/p>\n\n\n\n<h4 class=\"wp-block-heading\">4) TLS\/certificate errors<\/h4>\n\n\n\n<p><strong>Likely causes<\/strong>\n&#8211; Self-signed cert on gateway endpoint\n&#8211; Incorrect hostname<\/p>\n\n\n\n<p><strong>Fix<\/strong>\n&#8211; Use the correct DNS name\n&#8211; For lab-only testing you can do:\n  <code>bash\n  curl -k -i https:\/\/&lt;GATEWAY_HOST&gt;&lt;BASE_PATH&gt;\/hello<\/code>\n  Do not use <code>-k<\/code> in production.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Cleanup<\/h3>\n\n\n\n<p>To avoid ongoing costs and reduce attack surface:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Undeploy\/unpublish<\/strong> <code>hello-api<\/code> from all gateways.<\/li>\n<li>Delete the <strong>application<\/strong> <code>hello-client<\/code> and revoke credentials.<\/li>\n<li>Delete the API definition and backend registration if no longer needed.<\/li>\n<li>Terminate the backend VM (Compute instance) and remove related networking rules.<\/li>\n<li>Remove any test certificates and DNS records created for the lab.<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">11. Best Practices<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Architecture best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Use a clear API domain model:<\/strong> group APIs by domain\/team, not by technology.<\/li>\n<li><strong>Keep backends private:<\/strong> expose only the gateway publicly; connect gateway to backends via private networking where possible.<\/li>\n<li><strong>Separate environments:<\/strong> dev\/test\/prod with controlled promotions and minimal cross-environment sharing.<\/li>\n<li><strong>Design for versioning:<\/strong> embed version strategy (<code>\/v1\/<\/code> vs header-based) and document deprecation timelines.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IAM\/security best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Least privilege:<\/strong> separate platform admins from API publishers; limit who can deploy to prod gateways.<\/li>\n<li><strong>Use centralized identity:<\/strong> prefer OAuth\/OIDC with short-lived tokens for user-context calls.<\/li>\n<li><strong>Rotate credentials:<\/strong> API keys and client secrets should be rotated regularly and on incident.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Start with minimal gateway footprint for dev\/test.<\/li>\n<li>Avoid excessive log verbosity in production; log what you need for audit and debugging.<\/li>\n<li>Use quotas\/rate limits to prevent abuse-driven cost spikes.<\/li>\n<li>Control payload sizes with pagination and resource limits.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Performance best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enforce request\/response size limits to protect backends.<\/li>\n<li>Keep policy chains minimal for hot paths; complex transformations add latency.<\/li>\n<li>Use regional placement wisely: place gateways close to consumers or backends to reduce round-trip time (depending on your architecture).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Reliability best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Deploy multiple gateway nodes\/instances for HA (where supported).<\/li>\n<li>Use health checks and automated failover at the edge (LB\/WAF).<\/li>\n<li>Define timeouts and retry strategies carefully\u2014avoid retry storms.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operations best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Establish SLOs and dashboards: error rate, latency, 4xx\/5xx breakdown, throttling events.<\/li>\n<li>Run synthetic checks against key endpoints.<\/li>\n<li>Use structured logging with correlation IDs (propagate <code>X-Request-Id<\/code> or equivalent).<\/li>\n<li>Maintain an API inventory and ownership metadata.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Governance\/tagging\/naming best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Standardize naming: <code>&lt;domain&gt;-&lt;api&gt;-&lt;env&gt;<\/code> for gateways and routes.<\/li>\n<li>Tag APIs by owner, cost center, data classification, and lifecycle state.<\/li>\n<li>Require documentation and an operational runbook before publishing to prod.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">12. Security Considerations<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Identity and access model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Administrative access<\/strong> should use Oracle identity groups and strong MFA policies.<\/li>\n<li>Separate:<\/li>\n<li>platform admin (global)<\/li>\n<li>environment operator (deploy to prod)<\/li>\n<li>API owner (manage specific APIs)<\/li>\n<li>read-only auditor<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Encryption<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>In transit:<\/strong> enforce TLS from consumers to gateway.<\/li>\n<li><strong>Gateway to backend:<\/strong> use TLS where possible; for internal-only networks, still prefer TLS for sensitive data.<\/li>\n<li><strong>At rest:<\/strong> depends on how configuration and analytics are stored in your offering; verify encryption defaults in official docs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network exposure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Prefer: Internet \u2192 WAF\/LB \u2192 Gateway \u2192 Private Backend<\/li>\n<li>Avoid exposing backend services directly to the internet.<\/li>\n<li>Restrict backend inbound rules to the gateway subnet\/NSG.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secrets handling<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Do not store API keys or client secrets in source code.<\/li>\n<li>Use a secrets manager solution available in Oracle Cloud (for OCI workloads, OCI Vault is common) and inject secrets at runtime.<\/li>\n<li>Implement credential rotation procedures.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Audit\/logging<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ensure administrative actions (API publish, policy changes, credential issuance) are auditable.<\/li>\n<li>Centralize logs and protect them from tampering.<\/li>\n<li>Set retention based on compliance needs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compliance considerations<\/h3>\n\n\n\n<p>Common compliance expectations for API programs:\n&#8211; strong access control and auditing\n&#8211; encryption in transit\n&#8211; data minimization and classification tags\n&#8211; incident response playbooks\n&#8211; documented retention policies<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Common security mistakes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>No rate limiting on public APIs (leads to abuse and outages)<\/li>\n<li>Using long-lived static tokens without rotation<\/li>\n<li>Allowing wildcard CORS unnecessarily<\/li>\n<li>Logging sensitive data (tokens, PII) in access logs<\/li>\n<li>Treating dev gateway as \u201csafe\u201d while leaving it publicly accessible<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secure deployment recommendations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Put WAF in front of public gateways (if appropriate).<\/li>\n<li>Enforce strict authentication for all endpoints; avoid anonymous APIs unless truly public.<\/li>\n<li>Apply per-consumer quotas and burst limits.<\/li>\n<li>Use private networking to backends and restrict inbound rules.<\/li>\n<li>Add automated tests for auth, rate limiting, and common misconfigurations.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">13. Limitations and Gotchas<\/h2>\n\n\n\n<p>Because \u201cAPI Platform\u201d packaging can differ across Oracle Cloud environments, treat the following as common gotchas and verify specifics in official docs.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Known limitations (typical)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Not all OpenAPI constructs import cleanly; some require manual adjustments.<\/li>\n<li>Some policy types may be limited or only available in certain editions.<\/li>\n<li>Advanced traffic management (complex routing, canary, weighted routing) may not be supported natively.<\/li>\n<li>Analytics granularity and retention may be limited.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Max APIs, versions, and deployments can be capped.<\/li>\n<li>Rate limit ceilings may exist.<\/li>\n<li>Log retention may be capped or billed separately.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Regional constraints<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Service availability can vary by region and account type.<\/li>\n<li>Hybrid gateway placement may require additional network setup.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing surprises<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>High log volumes can generate unexpected observability\/storage costs.<\/li>\n<li>Public API response egress can become expensive at scale.<\/li>\n<li>Additional edge components (WAF\/LB) are separate services with separate bills.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compatibility issues<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OAuth\/OIDC integration requires careful alignment of issuer, audience, and token signing algorithms.<\/li>\n<li>Header-based API keys can conflict with proxies\/CDNs if headers are stripped or normalized.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational gotchas<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Policy changes may require redeployment to gateways.<\/li>\n<li>Rolling updates of gateway nodes may temporarily affect traffic if not HA.<\/li>\n<li>Misconfigured timeouts can cause backend overload (if clients retry aggressively).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Migration challenges<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Moving from API Platform to another gateway (or vice versa) requires:<\/li>\n<li>mapping policies<\/li>\n<li>converting API definitions and base paths<\/li>\n<li>reissuing credentials<\/li>\n<li>updating DNS\/certificates<\/li>\n<li>revisiting logging\/analytics pipelines<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Vendor-specific nuances<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Identity integration details can vary (OCI IAM vs IDCS vs Oracle Cloud Identity). Verify which identity service your API Platform uses and how OAuth is configured.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">14. Comparison with Alternatives<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Nearest services in Oracle Cloud<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>OCI API Gateway<\/strong>: OCI-native gateway for publishing APIs.<\/li>\n<li><strong>Oracle Integration (OIC)<\/strong>: integration platform; may expose integrations as APIs but has different primary goals.<\/li>\n<li><strong>OCI Load Balancer + Ingress (OKE)<\/strong>: workable for simple routing but lacks full API management features.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Nearest services in other clouds<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AWS API Gateway<\/li>\n<li>Azure API Management<\/li>\n<li>Google Apigee \/ API Gateway<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Open-source \/ self-managed alternatives<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Kong (Gateway + Kong Manager)<\/li>\n<li>NGINX (plus API management add-ons)<\/li>\n<li>Tyk<\/li>\n<li>WSO2 API Manager<\/li>\n<li>Envoy-based gateways<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Comparison table<\/h4>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Option<\/th>\n<th>Best For<\/th>\n<th>Strengths<\/th>\n<th>Weaknesses<\/th>\n<th>When to Choose<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Oracle Cloud API Platform<\/strong><\/td>\n<td>Organizations needing centralized API management (governance + gateway) in Oracle Cloud environments<\/td>\n<td>Central policy\/governance model, developer onboarding patterns, Oracle ecosystem alignment<\/td>\n<td>Availability and feature set can depend on edition; may be legacy in some orgs; verify roadmap<\/td>\n<td>When you already have it available and need full API management workflows<\/td>\n<\/tr>\n<tr>\n<td><strong>OCI API Gateway<\/strong><\/td>\n<td>OCI-native API exposure<\/td>\n<td>Tight OCI integration, simpler provisioning, good fit for OCI workloads<\/td>\n<td>May not include full \u201cportal + management\u201d experience by default<\/td>\n<td>When standardizing on OCI-native services for new builds<\/td>\n<\/tr>\n<tr>\n<td><strong>Oracle Integration (OIC)<\/strong><\/td>\n<td>Application and data integration<\/td>\n<td>Great for integrating SaaS\/ERP systems; can expose integrations<\/td>\n<td>Not a dedicated APIM replacement<\/td>\n<td>When your primary requirement is integration orchestration, not API product management<\/td>\n<\/tr>\n<tr>\n<td><strong>AWS API Gateway<\/strong><\/td>\n<td>AWS-based systems<\/td>\n<td>Mature, serverless, deep AWS integration<\/td>\n<td>AWS lock-in; pricing\/limits differ<\/td>\n<td>When workloads are primarily on AWS<\/td>\n<\/tr>\n<tr>\n<td><strong>Azure API Management<\/strong><\/td>\n<td>Azure-based systems<\/td>\n<td>Strong enterprise governance\/portal features<\/td>\n<td>Azure lock-in; operational model differs<\/td>\n<td>When workloads are primarily on Azure<\/td>\n<\/tr>\n<tr>\n<td><strong>Apigee<\/strong><\/td>\n<td>Large-scale API programs<\/td>\n<td>Strong API productization and analytics<\/td>\n<td>Cost and operational complexity<\/td>\n<td>When you need advanced enterprise APIM capabilities<\/td>\n<\/tr>\n<tr>\n<td><strong>Kong \/ Tyk \/ WSO2 (self-managed)<\/strong><\/td>\n<td>Platform teams that want control and portability<\/td>\n<td>Flexible, portable, customizable<\/td>\n<td>You operate it: upgrades, scaling, security<\/td>\n<td>When you need cross-cloud\/on-prem portability and can operate the platform<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">15. Real-World Example<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Enterprise example: Regional bank partner API program<\/h3>\n\n\n\n<p><strong>Problem<\/strong>\nA bank needs to expose secure partner APIs (account verification, payments initiation status, transaction lookup) while keeping core systems private and controlling partner traffic.<\/p>\n\n\n\n<p><strong>Proposed architecture<\/strong>\n&#8211; Public edge: OCI WAF \u2192 Load Balancer\n&#8211; API runtime: API Platform Gateways (HA)\n&#8211; Identity: Oracle identity integration for OAuth2 (partner client credentials)\n&#8211; Backends: core services on-prem via DRG\/VPN, plus some OCI-hosted microservices\n&#8211; Observability: centralized logs\/metrics with alerts on error rate and latency<\/p>\n\n\n\n<p><strong>Why API Platform was chosen<\/strong>\n&#8211; Central governance across many APIs and teams\n&#8211; Standardized OAuth and quota enforcement\n&#8211; API inventory and onboarding for multiple partners<\/p>\n\n\n\n<p><strong>Expected outcomes<\/strong>\n&#8211; Faster partner onboarding with consistent credentialing\n&#8211; Reduced outages from partner traffic spikes (rate limiting)\n&#8211; Improved audit readiness (central change control and usage visibility)<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Startup\/small-team example: SaaS public API for integrations<\/h3>\n\n\n\n<p><strong>Problem<\/strong>\nA SaaS startup wants to publish a public API for customer integrations, but doesn\u2019t want every service team to implement auth, throttling, and documentation.<\/p>\n\n\n\n<p><strong>Proposed architecture<\/strong>\n&#8211; Gateway endpoint: API Platform Gateway exposing <code>\/v1\/*<\/code>\n&#8211; Auth: API keys for initial rollout; roadmap to OAuth for enterprise customers\n&#8211; Backends: a small set of microservices (OKE or compute VMs)\n&#8211; CI\/CD: automated deployment of API definitions and policies (where supported)<\/p>\n\n\n\n<p><strong>Why API Platform was chosen<\/strong>\n&#8211; Quick path to consistent API security and traffic control\n&#8211; Central place for API documentation and consumer onboarding (portal if available)\n&#8211; Ability to evolve backend without breaking client endpoints<\/p>\n\n\n\n<p><strong>Expected outcomes<\/strong>\n&#8211; Faster delivery of a stable API contract\n&#8211; Better customer experience through self-serve onboarding and predictable limits\n&#8211; Reduced operational incidents due to centralized throttling and monitoring<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">16. FAQ<\/h2>\n\n\n\n<p>1) <strong>Is \u201cAPI Platform\u201d the same as \u201cOCI API Gateway\u201d?<\/strong><br\/>\nNot necessarily. Oracle Cloud has an API management offering historically known as <strong>API Platform (Oracle API Platform Cloud Service)<\/strong>, and OCI also offers <strong>OCI API Gateway<\/strong> as an OCI-native service. <strong>Verify which one your tenancy provides and Oracle\u2019s current recommendation<\/strong>.<\/p>\n\n\n\n<p>2) <strong>Do I need API Platform if I already have a load balancer?<\/strong><br\/>\nA load balancer handles traffic distribution and basic routing, but API Platform typically adds API-centric controls like authentication, quotas, developer onboarding, and API lifecycle governance.<\/p>\n\n\n\n<p>3) <strong>Can API Platform front on-prem backends?<\/strong><br\/>\nCommonly yes, using private connectivity (VPN\/DRG\/FastConnect) and network rules. Verify gateway deployment options and supported network patterns for your edition.<\/p>\n\n\n\n<p>4) <strong>What authentication methods are supported?<\/strong><br\/>\nTypically API keys and OAuth2\/OIDC\/JWT validation are common. Exact supported policies depend on your API Platform version\/edition\u2014verify in official docs.<\/p>\n\n\n\n<p>5) <strong>How do I version APIs safely?<\/strong><br\/>\nUse a clear versioning scheme (path-based like <code>\/v1\/<\/code>) and run overlapping support windows. Use API lifecycle states to communicate deprecation and timelines.<\/p>\n\n\n\n<p>6) <strong>Should I expose the gateway publicly or keep it private?<\/strong><br\/>\nFor public APIs, the gateway is typically public (often behind WAF). For internal APIs, prefer private endpoints and private networking.<\/p>\n\n\n\n<p>7) <strong>How do rate limits work?<\/strong><br\/>\nRate limits typically apply per consumer\/application and\/or per API. When exceeded, gateways return 429. Exact policy semantics vary\u2014verify.<\/p>\n\n\n\n<p>8) <strong>Where should I put WAF: before or after the gateway?<\/strong><br\/>\nTypically <strong>before<\/strong> the gateway for public APIs, to block malicious traffic early. The gateway still enforces identity and API-specific policies.<\/p>\n\n\n\n<p>9) <strong>Can API Platform transform requests\/responses?<\/strong><br\/>\nMany API gateways support basic transformations (headers, some payload manipulation). Capabilities vary; for complex transformations, consider doing it in backend services.<\/p>\n\n\n\n<p>10) <strong>How do I migrate from an existing gateway to API Platform (or away from it)?<\/strong><br\/>\nInventory APIs, map policies, plan credential migration, and implement DNS cutover with careful testing. Expect differences in policy semantics and analytics.<\/p>\n\n\n\n<p>11) <strong>Is API Platform suitable for GraphQL?<\/strong><br\/>\nSome API management platforms support GraphQL; others treat it as generic HTTP. <strong>Verify GraphQL support<\/strong> in official docs before committing.<\/p>\n\n\n\n<p>12) <strong>How do I secure backend services?<\/strong><br\/>\nKeep them private, restrict inbound traffic to gateway networks, require backend auth if possible, and use TLS between gateway and backend.<\/p>\n\n\n\n<p>13) <strong>What should I log?<\/strong><br\/>\nAt minimum: timestamp, request path\/method, response status, latency, consumer\/app ID, correlation ID. Avoid logging tokens or sensitive data.<\/p>\n\n\n\n<p>14) <strong>How do I implement zero-downtime policy changes?<\/strong><br\/>\nUse HA gateways, staged rollouts, and deploy changes first to non-prod. If your platform supports gradual rollout, use it; otherwise coordinate maintenance windows.<\/p>\n\n\n\n<p>15) <strong>What\u2019s the biggest operational risk with API management platforms?<\/strong><br\/>\nTreating the gateway as \u201cset and forget.\u201d Gateways become critical infrastructure\u2014monitor them, patch\/update per Oracle guidance, and test policies like you test code.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">17. Top Online Resources to Learn API Platform<\/h2>\n\n\n\n<p>Because Oracle product packaging can evolve, use these as starting points and always confirm the docs match your edition and environment.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Resource Type<\/th>\n<th>Name<\/th>\n<th>Why It Is Useful<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Official documentation<\/td>\n<td>Oracle Cloud Documentation portal: https:\/\/docs.oracle.com\/<\/td>\n<td>Entry point for official product docs; search for \u201cAPI Platform\u201d and your exact service name<\/td>\n<\/tr>\n<tr>\n<td>Official docs (search)<\/td>\n<td>Docs search for \u201cAPI Platform Cloud Service\u201d: https:\/\/docs.oracle.com\/en\/<\/td>\n<td>Helps locate the API Platform-specific guide if your account uses that offering<\/td>\n<\/tr>\n<tr>\n<td>Official pricing<\/td>\n<td>Oracle Cloud Pricing: https:\/\/www.oracle.com\/cloud\/pricing\/<\/td>\n<td>Understand Oracle\u2019s pricing model and links to calculators<\/td>\n<\/tr>\n<tr>\n<td>Official price list<\/td>\n<td>Oracle Cloud Price List: https:\/\/www.oracle.com\/cloud\/price-list\/<\/td>\n<td>Find the exact SKU\/meter for \u201cAPI Platform\u201d (verify naming)<\/td>\n<\/tr>\n<tr>\n<td>Cost estimator<\/td>\n<td>Oracle Cloud Cost Estimator: https:\/\/www.oracle.com\/cloud\/costestimator.html<\/td>\n<td>Build a cost estimate using official tooling (availability depends on service)<\/td>\n<\/tr>\n<tr>\n<td>Free tier overview<\/td>\n<td>Oracle Cloud Free Tier: https:\/\/www.oracle.com\/cloud\/free\/<\/td>\n<td>Helps you design low-cost labs using free-eligible backend services<\/td>\n<\/tr>\n<tr>\n<td>Architecture guidance<\/td>\n<td>Oracle Architecture Center: https:\/\/www.oracle.com\/cloud\/architecture-center\/<\/td>\n<td>Reference architectures for secure network patterns, WAF, and hybrid connectivity<\/td>\n<\/tr>\n<tr>\n<td>Identity docs<\/td>\n<td>OCI IAM docs: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Identity\/home.htm<\/td>\n<td>Core identity model; useful when integrating OAuth and admin permissions<\/td>\n<\/tr>\n<tr>\n<td>Networking docs<\/td>\n<td>OCI Networking docs: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Network\/Concepts\/overview.htm<\/td>\n<td>VCN, subnets, NSGs, and hybrid networking patterns for gateway-to-backend connectivity<\/td>\n<\/tr>\n<tr>\n<td>Security guidance<\/td>\n<td>OCI Security docs: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Security\/Concepts\/securityoverview.htm<\/td>\n<td>Security best practices relevant to API exposure<\/td>\n<\/tr>\n<tr>\n<td>Community learning<\/td>\n<td>Oracle Cloud Infrastructure blog: https:\/\/blogs.oracle.com\/cloud-infrastructure\/<\/td>\n<td>Practical guidance and updates (verify relevance to API Platform)<\/td>\n<\/tr>\n<tr>\n<td>Video learning<\/td>\n<td>Oracle YouTube channel: https:\/\/www.youtube.com\/@Oracle<\/td>\n<td>Search for Oracle API management\/API gateway content; confirm applicability<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">18. Training and Certification Providers<\/h2>\n\n\n\n<p>The following training providers may offer courses relevant to Oracle Cloud and API management. Verify current course catalogs on their websites.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Institute<\/th>\n<th>Suitable Audience<\/th>\n<th>Likely Learning Focus<\/th>\n<th>Mode<\/th>\n<th>Website<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps engineers, platform teams, architects<\/td>\n<td>DevOps, cloud fundamentals, automation, platform practices<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>ScmGalaxy.com<\/td>\n<td>Students, beginners, DevOps practitioners<\/td>\n<td>DevOps basics, SCM, CI\/CD, cloud introductions<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.scmgalaxy.com\/<\/td>\n<\/tr>\n<tr>\n<td>CLoudOpsNow.in<\/td>\n<td>Cloud engineers, operations teams<\/td>\n<td>Cloud operations, monitoring, reliability practices<\/td>\n<td>Check website<\/td>\n<td>https:\/\/cloudopsnow.in\/<\/td>\n<\/tr>\n<tr>\n<td>SreSchool.com<\/td>\n<td>SREs, operations, platform engineering<\/td>\n<td>SRE principles, observability, reliability engineering<\/td>\n<td>Check website<\/td>\n<td>https:\/\/sreschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>AiOpsSchool.com<\/td>\n<td>Ops\/SRE teams exploring AIOps<\/td>\n<td>AIOps concepts, automation, event correlation<\/td>\n<td>Check website<\/td>\n<td>https:\/\/aiopsschool.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">19. Top Trainers<\/h2>\n\n\n\n<p>These sites are presented as training resources\/platforms. Verify current offerings directly.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Platform\/Site<\/th>\n<th>Likely Specialization<\/th>\n<th>Suitable Audience<\/th>\n<th>Website<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>RajeshKumar.xyz<\/td>\n<td>DevOps\/cloud training and guidance (verify)<\/td>\n<td>Beginners to intermediate engineers<\/td>\n<td>https:\/\/rajeshkumar.xyz\/<\/td>\n<\/tr>\n<tr>\n<td>devopstrainer.in<\/td>\n<td>DevOps training resources (verify)<\/td>\n<td>DevOps engineers and students<\/td>\n<td>https:\/\/devopstrainer.in\/<\/td>\n<\/tr>\n<tr>\n<td>devopsfreelancer.com<\/td>\n<td>Independent DevOps consulting\/training content (verify)<\/td>\n<td>Teams needing practical DevOps help<\/td>\n<td>https:\/\/devopsfreelancer.com\/<\/td>\n<\/tr>\n<tr>\n<td>devopssupport.in<\/td>\n<td>DevOps support and learning resources (verify)<\/td>\n<td>Operations\/DevOps teams<\/td>\n<td>https:\/\/devopssupport.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">20. Top Consulting Companies<\/h2>\n\n\n\n<p>These organizations may provide consulting services related to DevOps, cloud, and platform engineering. Verify service offerings and references directly.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Company<\/th>\n<th>Likely Service Area<\/th>\n<th>Where They May Help<\/th>\n<th>Consulting Use Case Examples<\/th>\n<th>Website<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>cotocus.com<\/td>\n<td>Cloud\/DevOps consulting (verify)<\/td>\n<td>Platform automation, cloud migrations, operational improvements<\/td>\n<td>API gateway rollout planning, CI\/CD for API definitions, observability setup<\/td>\n<td>https:\/\/cotocus.com\/<\/td>\n<\/tr>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps and cloud consulting\/training<\/td>\n<td>DevOps transformation, pipeline design, SRE practices<\/td>\n<td>Standardizing API deployment workflows, governance processes, runbooks<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>DEVOPSCONSULTING.IN<\/td>\n<td>DevOps consulting (verify)<\/td>\n<td>Delivery automation, infrastructure as code, operations<\/td>\n<td>API edge security patterns, environment separation, deployment automation<\/td>\n<td>https:\/\/devopsconsulting.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">21. Career and Learning Roadmap<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn before API Platform<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>HTTP fundamentals: methods, status codes, headers, TLS<\/li>\n<li>REST API design basics and common patterns<\/li>\n<li>OpenAPI basics (reading and validating specs)<\/li>\n<li>OAuth 2.0 \/ OIDC concepts (tokens, scopes, audiences)<\/li>\n<li>Networking basics: DNS, subnets, firewall rules, private\/public endpoints<\/li>\n<li>Observability basics: logs vs metrics vs traces<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn after API Platform<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Advanced API security (OWASP API Top 10, threat modeling)<\/li>\n<li>CI\/CD for APIs and policies (GitOps patterns where supported)<\/li>\n<li>Performance engineering (latency budgets, load testing, caching strategies)<\/li>\n<li>Multi-region resiliency and DR for API entry points<\/li>\n<li>API product management practices (contract governance, deprecation, SLAs)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Job roles that use it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud engineer \/ DevOps engineer<\/li>\n<li>Platform engineer<\/li>\n<li>Solutions architect<\/li>\n<li>API architect<\/li>\n<li>Security engineer (API security)<\/li>\n<li>SRE \/ production operations<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Certification path (if available)<\/h3>\n\n\n\n<p>Oracle\u2019s certification landscape changes over time, and API Platform may not have a dedicated certification track. A practical approach:\n&#8211; Start with <strong>Oracle Cloud Infrastructure foundations<\/strong> certifications (verify current names).\n&#8211; Add security and networking certifications relevant to API exposure.\n&#8211; Use hands-on projects as proof of skill.<\/p>\n\n\n\n<p><strong>Verify Oracle\u2019s current certification catalog here:<\/strong><br\/>\nhttps:\/\/education.oracle.com\/<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Project ideas for practice<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Publish an internal API catalog with versioning and deprecation policy.<\/li>\n<li>Implement OAuth2-protected APIs with per-client quotas.<\/li>\n<li>Build a multi-environment pipeline that deploys API definitions and policies.<\/li>\n<li>Add WAF in front of public APIs and test common abuse patterns.<\/li>\n<li>Create an operational dashboard: 4xx\/5xx, p95 latency, throttles, top consumers.<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">22. Glossary<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>API (Application Programming Interface):<\/strong> A contract and endpoint for programmatic access to a service.<\/li>\n<li><strong>API Management (APIM):<\/strong> Tools and processes to publish, secure, monitor, and govern APIs.<\/li>\n<li><strong>API Gateway:<\/strong> Runtime component that enforces policies and routes API requests to backends.<\/li>\n<li><strong>Control plane:<\/strong> Management layer where APIs and policies are configured and deployed.<\/li>\n<li><strong>Data plane:<\/strong> Runtime layer handling live traffic.<\/li>\n<li><strong>OAuth 2.0:<\/strong> Authorization framework used to obtain access tokens.<\/li>\n<li><strong>OIDC (OpenID Connect):<\/strong> Identity layer on top of OAuth 2.0 for authentication.<\/li>\n<li><strong>JWT (JSON Web Token):<\/strong> A signed token format commonly used for access tokens.<\/li>\n<li><strong>Rate limiting:<\/strong> Restricting the number of requests over time to protect systems.<\/li>\n<li><strong>Quota:<\/strong> A usage cap per consumer\/application or per API.<\/li>\n<li><strong>WAF (Web Application Firewall):<\/strong> Security layer that filters malicious web\/API traffic.<\/li>\n<li><strong>VCN (Virtual Cloud Network):<\/strong> OCI virtual network construct for isolated networking.<\/li>\n<li><strong>NSG (Network Security Group):<\/strong> OCI security rules applied to VNICs\/resources.<\/li>\n<li><strong>DRG (Dynamic Routing Gateway):<\/strong> OCI component for connecting VCNs to on-prem or other networks.<\/li>\n<li><strong>SLO (Service Level Objective):<\/strong> Reliability target (latency, availability, error rate).<\/li>\n<li><strong>Egress:<\/strong> Outbound network traffic, often billable.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">23. Summary<\/h2>\n\n\n\n<p>Oracle Cloud <strong>API Platform<\/strong> provides a centralized approach to <strong>API governance and runtime enforcement<\/strong>\u2014typically combining a management\/control plane, gateway runtimes, and consumer onboarding patterns. It matters because it standardizes how APIs are secured, rate-limited, monitored, and published, reducing duplicated effort and lowering operational risk.<\/p>\n\n\n\n<p>Architecturally, it fits as the <strong>front door for APIs<\/strong> in Oracle Cloud and hybrid environments, often paired with identity services, VCN networking, and optional edge components like WAF and load balancing. Cost is driven by gateway capacity and API traffic volume, plus indirect costs like data egress and logging retention\u2014so quotas, rate limits, and sensible observability practices are key.<\/p>\n\n\n\n<p>Use API Platform when you need consistent API lifecycle management and centralized policy enforcement across teams. If API Platform availability is limited or your organization prefers OCI-native services for new builds, verify Oracle\u2019s current guidance and consider OCI-native alternatives where appropriate.<\/p>\n\n\n\n<p><strong>Next step:<\/strong> confirm your tenancy\u2019s API Platform offering and supported policy set in official Oracle docs, then repeat the lab using your real backend services and a production-grade network\/security topology.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Other Services<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[62,63],"tags":[],"class_list":["post-746","post","type-post","status-publish","format-standard","hentry","category-oracle-cloud","category-other-services"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/746","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=746"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/746\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=746"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=746"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=746"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}