About the New CPSA® – Advanced Level Module API: Appli­cation Programming Interfaces

On March 17, 2025, the iSAQB intro­duced the new Advanced Level module Appli­cation Programming Inter­faces.

The module “API: Appli­cation Programming Inter­faces” teaches software archi­tects how to design and manage APIs effec­tively, ensuring seamless commu­ni­cation between compo­nents. APIs are vital for creating reusable software and connecting different systems, driving the digital trans­for­mation of businesses. This module covers key topics such as API design, security, lifecycle management, and API value creation, equipping archi­tects with the skills to leverage APIs for scalable and efficient software architectures.

We conducted an interview with the curators, Erik Wilde, Falk Sippach and Thilo Frotscher, where they provide deeper insights into the module.

Why did the iSAQB decide to include a separate advanced-level module on APIs in the program? What training gap does it aim to fill?

Appli­cation Programming Inter­faces (APIs) play a central role in modern software and enter­prise archi­tec­tures. They are not just technical inter­faces but also strategic building blocks for scala­bility, reusability, and digital business models. This module brings together all aspects of the topic and examines them within this broader context.

Many devel­opers today do not see themselves as primarily respon­sible for the strategic use of APIs within their organi­za­tions. As organi­za­tions grow, this can lead to challenges and missed oppor­tu­nities. The new module enables archi­tects and devel­opers not only to implement APIs but also to under­stand and actively shape them as an essential part of the architectural strategy.

What concrete skills and compe­tencies do partic­i­pants gain after completing the API module, and how can they apply them effec­tively in their projects?

Our main focus was on providing a big-picture under­standing of APIs. That’s why we cover business models, different API styles and their associated technologies, the design process, devel­opment support, security aspects, and the management of entire API landscapes within organi­za­tions. The topic of APIs extends far beyond purely technical aspects, and this broad perspective helps maximize the potential of IT investments.

APIs are key to making an organi­zation more adaptable and resilient to change, making them a crucial investment for the future. After completing the module, partic­i­pants will be able to strate­gi­cally design APIs, implement them in a techni­cally sound manner, and manage them over the long term – a decisive advantage for modern software devel­opment projects and a sustainable IT architecture.

How do different API styles, such as REST, GraphQL, and gRPC, affect the flexi­bility and scala­bility of software architectures?

As is often the case, the answer to the question of “the best API style” or “the best API technology” is a classic “it depends.” There are no simple, one-size-fits-all solutions. Instead, it is essential to analyze the nature of an interface: Is it primarily trans­ac­tional? Does it publish events? Does it allow queries?

In many cases, APIs combine multiple aspects, making the choice of the most appro­priate style less obvious. Another important consid­er­ation is the existing API landscape—what APIs are already in place, and do you need to integrate with them? Additionally, the level of control over API consumers plays a role—what styles are known and preferred within the ecosystem?

As with most architectural decisions, context matters. This is precisely why having a broad perspective is essential for making informed decisions. In modern archi­tec­tures, multiple API styles are often combined to leverage their respective strengths effectively.

What best practices should be followed when designing APIs to ensure high usability and maintainability?

Two key principles should always be prior­i­tized. First, API design should follow an “outside-in” approach – meaning that decisions should be based on consumer needs rather than internal data models. Second, backward and forward compat­i­bility is crucial to allow APIs to evolve without forcing existing consumers to make adjustments.

Beyond these two funda­mental principles, clear and compre­hensive API documen­tation plays a vital role. By following these best practices, organi­za­tions can develop APIs that are both useful and usable, benefiting devel­opers and businesses alike in the long run.

What security aspects must be considered when designing and imple­menting APIs?

APIs must be secure by design from the outset. Strong authen­ti­cation, protection against attacks, secure commu­ni­cation channels, and continuous monitoring are essential to ensuring robust APIs.

APIs inher­ently expose certain aspects of an organi­zation, which intro­duces risks. However, in practice, most API security challenges can be addressed relatively easily—similar to IT security in general. For instance, we examine the OWASP API Security Top Ten, which highlights the most common vulnerabilities.

In addition to designing, imple­menting, and securing APIs, we also emphasize the impor­tance of API gover­nance to prevent uncon­trolled devel­opment. Security is not a one-time effort—regular security audits, penetration tests, and updates are essential compo­nents of an effective API security strategy.

How does API gover­nance differ from API management, and why is it still not widely imple­mented in many organizations?

API management focuses on the technical and opera­tional aspects of managing APIs, including monitoring, analytics, and access control. This is a necessary but relatively well-under­stood task.

API gover­nance, on the other hand, is concerned with the strategic oversight of an organization’s entire API landscape. It involves maintaining an overview of existing APIs, estab­lishing guide­lines and compliance checks, and defining a clear strategy for API discovery and lifecycle management.

Organi­za­tions typically begin to address API gover­nance only once they recognize the strategic value of APIs. Many companies are still in the process of making this shift, which is why API gover­nance remains under­de­veloped in many environments.