2023 State of the API Report

We asked survey participants how long it typically takes to conceive, implement, test, and deliver an API to a production environment. The results were largely unchanged from last year.

Some industries were faster at producing APIs than others. In education, 18% of respondents said they required a day or less. In financial services, only 11% of survey-takers said the same.

We also asked participants how frequently they deploy APIs to production. The most common response? One-third said they deploy between once a week and once a month.

Just 6% of respondents deployed between once per hour and once per day. But among API-first leaders, the percentage was higher: 10% deploy that frequently.

How often do API changes fail when pushed to production? Not often. Fewer than one in 20 API changes fails, according to half of respondents.

Healthcare claimed the best failure rate, with 55% of respondents stating that fewer than one in 20 API deployments failed. Education was at the other end of the spectrum; only 43% of respondents there said their failure rate was that good.

API-first leaders were less likely to encounter failures than all respondents, with 60% stating that failures occurred less than one time in 20.

When an API fails, how quickly can it typically be restored? We're happy to say that this figure has improved steadily over the years. Today, 41% say they can restore the API in less than one hour. That's an improvement from 38% last year and 34% the year before that.

API-first leaders reported the fastest recovery times: 53% indicated they could be back up in less than an hour.

In 2023, global survey-takers reported fewer API-related security events: 56% said incidents happen less than once a year, an improvement on last year's 52%.

When we break out the results by country, we see some stark differences. Incidents were rarest in the U.S., with 67% of respondents saying API security events occur less than once a year.

In Europe, the Middle East, and Africa, only 57% of respondents could make that claim. In the Asia-Pacific and Latin America, the figure was lower still, with only 47% saying API security events happened less than once a year.

We asked respondents to identify which API security risks posed the greatest concern for their organization.

Their top choice was “Improper authentication, authorization, or access control,” cited by an almost two-to-one margin over other risks.

CEOs, CTOs, and developers were aligned on this view, with about 30% of each group acknowledging it as a key hazard. But some job roles were less likely to recognize improper access as a key risk: just 21% of product VPs and 26% of data engineers/analysts cited it as a top concern.

When we asked about obstacles to consuming APIs, 52% of respondents said lack of documentation was the biggest problem. Other top barriers included difficulty discovering APIs (32%) and lack of time (27%).

API-first leaders, on the whole, were less likely to cite any obstacles to consuming APIs—with one exception. They were more likely to mention difficulty reusing APIs or microservices. Twenty-one percent of API-first leaders cited this pain point, compared with just 19% of respondents overall.

In this year's survey, a lack of time and people were again named as the biggest obstacles to producing APIs.

But when we filtered by large companies with over 5,000 developers, a different top problem emerged. Respondents at these mega-companies cited a lack of API design skills as the biggest obstacle to producing APIs.

Interestingly, respondents at these large companies were also more likely to say that “Managing too many APIs or microservices” was an obstacle to producing APIs. Thirty-one percent of these respondents said so, compared with just 23% of all survey.

It's possible the lack of API design skills is making it more difficult to manage APIs and microservices at the largest companies.

When we asked respondents to cite the different ways they collaborate on APIs, their most common answer was working with API artifacts on a collaboration platform such as Postman (50%). Next up was publishing API artifacts to GitLab, GitHub, or Bitbucket, which was chosen by 39% of respondents.

When it comes to change-management practices, there was a new preferred method: using Git repositories. This practice earned the most mentions in 2023, just edging out versioning APIs, which was the most popular choice in the previous two years.

When it comes to API testing, users employed a wide variety of practices, although functional testing (67%) and integration testing (64%) dominated the answers. No other testing practice came within 10 percentage points of those two choices.

As in prior years, one in 25 respondents said their team doesn't test its APIs.