ApiShare operates within a structured governance framework that ensures clarity in the relationships between Organizations, Groups, Applications, APIs, Subscriptions, Key Sets and Policies. These entities interact within a well-defined governance model that supports multi-tenancy, access control, and lifecycle management.
Organizations and Groups
Organizations and Groups define how users interact with APIs and applications:
Organizations: Represent business units or external partners that manage APIs.
Groups: Allow for granular access control within an organization by assigning specific roles and permissions to users.
Applications
In ApiShare, an Application is a representation of a digital system that either exposes or consumes one or more APIs. Applications are always associated with an Organization.
A Producer Application provides APIs (Products/Assets) to external consumers.
A Consumer Application subscribes to APIs provided by others in order to invoke them.
Applications ensure governance rules are enforced while maintaining a structured subscription model.
APIs
ApiShare differentiates API between Products and Assets to provide flexibility in API governance:
API Products: Business-level APIs that are externally consumable and designed for application integration.
API Assets: Technical backend services that power API Products but are not directly exposed to external consumers.
API Products are often linked to one or more API Assets, which handle the actual execution of API requests.
An API Product is exposed by a Producer Application and can be subscribed by multiple Consumer Applications across different environments.
Subscription: Relationships Between Applications and APIs
A Subscription links a Consumer Application to one or more APIs (Products) exposed by Producer Applications in a given environment.
Key characteristics:
It expresses intent to consume from the Consumer Application.
It is environment-specific (e.g., you subscribe to the DEV version of the API).
It is governed by policies that define the authentication and access behavior.
Diagrams
Simple Scenario
One asset many products
Application consuming a Product and an asset from the same provider application
The full picture : relationships among different organizations and groups
Key Sets : credentials management within Subscriptions
Each Subscription results in the assignment of a Key Set, which contains the credentials used to invoke the APIs. These Key Sets are generated automatically and governed by the associated Policy Template.
Key Sets are not standalone entities, but logical constructs created and managed as part of Subscription workflows. They serve as the credential container used by a Consumer Application to access one or more subscribed APIs under a unified security policy.
Key behavior:
Key Sets are shared across Subscriptions only if:
They belong to the same Consumer Application,
They operate in the same environment,
Their target APIs governed by the same Policy Template.
Otherwise, separate Key Sets are generated.
Example Scenarios:
Same Application, same environment, same policy template → shared Key Set
Same Application, different environment → separate Key Sets
Same Application, same environment, different policies → separate Key Sets
Policy Templates
Policies govern the lifecycle of credentials associated with Subscriptions (i.e., Key Sets). Each API must be assigned a Policy Template, which defines:
Authentication method (e.g., API Key, OAuth2)
Key expiration (e.g., 30 days)
Rotation behavior (e.g. 15 days)
Key regeneration options (manual/automatic)
If no Policy Template is assigned to an API, a default policy applies (no expiration, no rotation).
The Policy Template is evaluated at the time of Subscription, and determines how the credentials are managed throughout the Subscription lifecycle.
Entity Relationships Summary
ApiShare models all interactions between APIs and Applications through subscriptions. These interactions are always scoped to a specific environment and governed by policies.
Entity | Related Entity | Relationship Description |
|---|---|---|
Producer Application | API Product | Publishes one or more API to be consumed by external or internal applications. |
API Product | API Asset | Is backed by one or more Assets that implement its functionality. |
Consumer Application | API Product | Consumes APIs via Subscriptions. |
Consumer Application | Subscription | Initiates a Subscription to access an API Product. |
Subscription | API Product | Grants access to the API Product under specific conditions and scopes. |
Subscription | Key Set (credentials) | Generates or reuses a Key Set to enforce security and access policies. |
Key Set | Policy | Is governed by a Policy that defines how credentials are issued and rotated. |
Policy | Policy Template | Is derived from a Policy Template configured by the platform/security team and is specific for a Key Set. |
API Product | Policy Template | Must be linked to a Policy Template, which determines access conditions and key behavior. |