BNP Paribas ITG Case Study

 

On-Premises Developer Portals with Automated API Reference Publishing

Summary

Client: BNP Paribas ITG 

Industry: International financial 
services

ITG’s on-premise, external developer portals offer new means to open up to BNP Paribas’ partners who can create their open banking and IT-related applications. The relationship began in 2019 with a close collaboration between BNP Paribas Group and Pronovix, in which BNP ITG joined in 2021. BNP Paribas IT Group is responsible for internal support of 15 instances.

About BNP Paribas ITG

Technology and Innovation

BNP Paribas (shorter: BNPP) is committed to leveraging technology and innovation to continuously enhance the experience of its customers and employees. ITG is a branch within BNP Paribas’ extensive company and besides open banking, they also take care of a vast variety of IT services. 

As they state on the developer portal, with their global reach, their coordinated business lines and proven expertise, ‘the Group provides a full range of innovative solutions adapted to client needs. These include payments, cash management, traditional and specialised financing, savings, protection insurance, wealth and asset management as well as real-estate services.’

The Developer Portal’s Business Value

As we learned from ITG, it is 'important that our partners find easily our API products and that they understand quickly how to connect to our APIs. Therefore, the API portal is key to describe the API products, illustrate with use cases, display the documentation of the API, enable the tests… In a few words, the API portal is key to facilitate the onboarding for our API consumers.' 

The developer portal makes the API consumers more autonomous. 'They can find the API documentation, start testing and request the access to an API. This gives more time for API producers and API owners to concentrate on other topics. The API portal is also a way to give access to API keys (credentials) by using a tool that is secure thanks to the strong customer authentication method that we have on the API portal for API consumers.'

Internal Code Usage and Support

ITG receives code deliveries from Pronovix and they install them in-house with their dedicated team. The delivered code, comprising both open-source and custom elements, is owned by BNPP Group, allowing reuse across all of their branches. This approach delivers cost-efficient and secure outcomes from a business standpoint, while ensuring vendor independence. 

The on-premise solution—aka the in-house installation—reduces exposure to external systems, allows customization to tailored needs, and enables cost control as there are no recurring subscription fees per each and every instance. As it reduces dependencies on third parties and gives full control over data, it ensures reliable security tailored to the business needs. 

Pronovix provides second-line support in troubleshooting, debugging, training, and architect discussions and is responsible for feature implementations.

APIs: Discoverability, Support, and Automation

As ITG states on the developer portal, ‘our APIs are developed to help developers to save time, using trusted and secure code.’ To optimize discoverability, users can search for APIs in two different ways: one is keyword-based and the other is the faceted one. The latter focuses on the APIs’ status. 

BNPP ITG has three options on the developer portal to filter the published API documentation pages in the API Catalog: keyword search through a search bar, choose categories or statuses. 

All APIs have categories, statuses, and versions visible on the API cards and in the API header. After opening one API, the versioning is visible on the header in a pill. In other words, both colors and text guide the user. 

API details on the developer portal

It’s also possible to reach out to the API Owner and ask questions or send feedback to them directly as a custom notification enhancement. The dropdown shows the given options to help to see the main categories that can emerge (e.g. ‘I have an issue with your API’, etc.).

Not only do roles influence visibility, it’s also possible to specify visibility on the Docs. There are three options for API Reference visibility: public, private with public overview (visible for Anonymous and Authenticated users), and private without public overview (visible for Authenticated users who have already been granted access to the full documentation).

It’s also an option to set the API provider—it can be BNP Paribas or their Partners—, add tags, and select the category.
 

Automated API Reference Publishing

One of the many unique solutions is that a REST API controls the API Reference publishing for OAS (OpenAPI Specification). This way, the publisher does not have to upload everything manually. As BNPP’s APIs have many fields and different meta data, it makes the work more efficient and faster. If they want to upload other types of APIs (like Async), they can upload every data manually.

BNPP can freely add a new Category when editing an API reference. The same domain field is displayed on the Info tab and BNPP can also edit it there; however, it is only possible to add already existing domain categories.

Authenticated Users: Internal and External SSO and Role Management

On ITG’s developer portal, internal and external SSO are available for two distinct audiences. Internal is for BNPP employees, while external belongs to the company’s partners. 

As there are many users with different responsibilities and tasks, the developer portal has extended variations of roles such as Team Manager, API Architect, and so on. 

Roles limit what a user can do, what they see sitewide, which includes the API Reference documentation as well. Based on the roles, one can see varying elements on the APIs’ Info or Manage Access tabs. 

If a user is Authenticated, they can access the full documentation of Public APIs, the Overview and Info page linked to the API documentation, can see Private documentation with public overview in the Catalog, and can request access to the full documentation. 

The distinction between ‘Private with public overview’ and ‘Private without public overview’ is that the latter is not available for all authenticated users (not even their Overview/Info tabs), therefore they cannot request access. Access can only be granted manually by the Admin or the Owner. 

In the case of ‘Private with public overview’ documentation, Authenticated users have to choose the Request access button, in which way their request will be submitted for the chosen entity. Full documentation access status automatically changes to ‘In progress’ on the Info page and they can request access to another entity they are entitled to. The API Owner has to approve (or reject) the request, and users will get email notification about the status updates. 

Administrators and Entity Admins can track changes in the roles, and Administrators can mass add consumers without the API Owners having to handle each request individually.

Other Features and Custom Solutions

Certificates 

Certificates in API app management are cryptographic credentials used to authenticate and secure communication between applications and APIs, ensuring that only trusted entities can access sensitive data or services. They are useful because they provide an extra layer of security, help prevent unauthorized access, and verify the identity of the application or user, thereby protecting both the API provider and the consumer. 

Provider’s side 

Certificates behave as secondary authentication for partners on user level which is another layer of security. Uploading a certificate is yet optional for using Sandbox and Production APIs. 

Certificate Managers get notifications in pre-defined time periods and they can validate them manually. Managers can also download the certificate, search for owners, and filter by validation status on the ‘Manage certificates’ page.

Consumer’s side 

When a user uploads a certificate, an automatic validation process ensures that it meets the necessary requirements. 

If a certificate has been approved, it becomes visible during the authentication process. Teams (= Apigee Company feature) and team apps are also in the scope of the feature.
 

Accelerating API Development with API Subscription Evolution

On BNPP ITG’s developer portal, partners can subscribe to APIs that require JWT bearer/token authentication. Thanks to this feature, it is possible to filter the APIs list from the Registry and retrieve APIs from Apigee. Registry is ITG’s internal API management platform integrated with Apigee Edge and it allows entities to develop APIs quicker by using templates. 

The API name, version, and authentication method only available if Registry access is configured and available for the given developer portal instance.

Internal Data Analysis: Export API Details

On ITG’s developer portal, every API is available on one separate page called All APIs. From here, Admins can export all APIs’ details, which includes metadata that holds any significance for the company.

Notifications

Thanks to the built-in notification system, API Owner(s) receive access requests. There are different emails for API Documentation access requests and API Product access requests. This way, providers don’t have to check the developer portal to see if there are new requests, but they are notified automatically instead.

Audit Trails

Audit Trails is a security feature: it shows what happened, when, and who initiated the changes. The Audit Trails are available for Roles, Developer Apps, Team Apps, and Certificates (for example, one can check if someone’s role has changed, when it happened, and who made it). This feature behaves as a log that helps to have an overview of the changes made.

Health Check URL Module

BNPP ITG’s team can check the status of the portal via a dedicated URL. If the site has any issues, it will show error messages. After a site update, this method can catch any issues or highlight if everything went according to the plan.

Central Navigation

On the top right corner a Dropdown button is available. This includes the user name, the user’s apps, profile, and team.

Site settings can also be placed in Configuration Ignore, which means BNPP ITG’s team can freely change these like Site Slogan, notification email templates, etc. without any further customization in the code.

Plans for the Future:

Certificates, 

JWT Bearer/Token

As authentication and authorization (using certificates and JWT bearer/token) play a huge role on BNPP ITG’s developer portal, in the future, they will dedicate efforts to this topic and also will improve the integration of Registry. 

ITG is also interested in an Apigee Hybrid/X solution, where instances use Apigee X based on Pronovix’s code and they already made steps into this direction internally.

If you seek specialized assistance with your API strategy or with your developer portal, talk with us to learn more about Zero Gravity developer portals and how they can accelerate and simplify your work. 

Contact us » 

Learn more about our developer portal solutions »

API The Docs
Devportal Awards logo
API Resilience
Developer Success

PRONOVIX

RESOURCES

SERVICES

Newsletter

Articles on devportals, DX and API docs, event recaps, webinars, and more. Sign up to be up to date with the latest trends and best practices.

 

Subscribe