Since ChatGPT rocketed the potential of generative AI into the collective consciousness there has been a race to add AI to everything. Every product owner has been salivating at the possibility of new AIPowered features. Every marketing department is chomping at the bit to add a “powered by AI” sticker to the website. For the average layperson playing with ChatGPT's conversational interface, it seems easy however integrating these tools securely, reliably, and in a costeffective manner requires much more than simply adding a chat interface. Moreover, getting consistent results from a chat interface is more than an art than a science. Ultimately, the chat interface is a nice gimmick to show off capabilities, but serious integration of these tools into most applications requires a more thoughtful approach.

This is not another “AI is Magic” cheerleading session, nor an overly critical analysis of the field. Instead, this session looks at a number of valid usecases for the tools and introduces architecture patterns for implementing these usecases. Throughout we will explore the tradeoffs of the patterns as well as the application of AI in each scenario. We'll explore usecases from simple, direct integrations to the more complex involving RAG and agentic systems.

Although this is an emerging field, the content is not theoretical. These are patterns that are being used in production both in Michael's practice as a handson software architect and beyond.

Architects must maintain their breadth, and this session will build on that to prepare you for the inevitable AIpowered project in your future.

Although this is an emerging field, the content is not theoretical. These are patterns that are being used in production both in Michael's practice as a handson software architect and beyond.

Architects must maintain their breadth, and this session will build on that to prepare you for the inevitable AIpowered project in your future.

The age of hypermedia-driven APIs is finally upon us, and it’s unlocking a radical new future for AI agents. By combining the power of the Hydra linked-data vocabulary with semantic payloads, APIs can become fully self-describing and consumable by intelligent agents, paving the way for a new class of autonomous systems. In this session, we’ll explore how mature REST APIs (level 3) open up groundbreaking possibilities for agentic systems, where AI agents can perform complex tasks without human intervention.

You’ll learn how language models can understand and interact with hypermedia-driven APIs, and how linked data can power autonomous decision-making. We’ll also examine real-world use cases where AI agents use these advanced APIs to transform industries—from e-commerce to enterprise software. If you’re ready to explore the future of AI-driven systems and how hypermedia APIs are the key to unlocking it, this session will give you the knowledge and tools to get started.

REST APIs often fall into a cycle of constant refactoring and rewrites, leading to wasted time, technical debt, and endless rework. This is especially difficult when you don't control the API clients.

But what if this could be your last major API refactor? In this session, we’ll dive into strategies for designing and refactoring REST APIs with long-term sustainability in mind—ensuring that your next refactor sets you up for the future.

You’ll learn how to design APIs that can adapt to changing business requirements and scale effectively without requiring constant rewrites. We’ll explore principles like extensibility, versioning, and decoupling, all aimed at future-proofing your API while keeping backward compatibility intact. Along the way, we’ll examine real-world examples of incremental API refactoring, where breaking the cycle of endless rewrites is possible.

This session is perfect for API developers, architects, and tech leads who are ready to stop chasing their tails and want to invest in designing APIs that will stand the test of time—so they can focus on building great features instead of constantly rewriting code.

Integration, once a luxury, is now a necessity. Doing this well, however, continues to be elusive. Early attempts to build better distributed systems such as DCOM, CORBA, and SOAP were widely regarded as failures. Today the focus is on REST, RPC, and graphql style APIs.

Which is best? The goto answer for architects is, of course, “it depends.”

In this session, we look at the various API approaches, how they attempt to deal with the challenge of decoupling client from server, evolvability, extensibility, adaptability, composability.

The biggest challenge is that needs change over time, and APIs must necessarily evolve. Versioning is challenging, and breaking changes are inevitable. You'll leave this session with a highlevel understanding of these approach, their respective tradeoffs and ultimately how to align your API approach with your architectural and organizational goals.

I personally believe that the success of an API initiative is at
least largely influenced by the selection and development of the
team that will build and maintain it.

Code-focused developers are not the right starting point. People who
think about information and long-term value capture are more likely
to produce better results. People who actually care about the API
beyond a thin-layer above their code are a great start.

We often say that we are trying to “Build the Right Thing” and
“Build the Thing Right”. But how do you know you are building the
right thing? How are you validating the implementation and the
behavior of the system? How are your business analysts supposed to
verify the API is doing what it is supposed to if your testing
strategy is complicated and code-focused?

In this talk, I will discuss these ideas and more. I will tell you
about a team I put together with no API background that built
what became a $300 million revenue stream in its first few years.

One of the nice operational features of the REST architectural style as an approach to API Design is that is allows for separate evolution of the client and server. Depending on the design choices a team makes, however, you may be putting a higher burden on your clients than you intend when you introduce breaking changes.

By taking advantage of the capabilities of OpenRewrite, we can start to manage the process of independent evolution while minimizing the impact. Code migration and refactoring can be used to transition existing clients away from older or deprecated APIs and toward new versions with less effort than trying to do it by hand.

In this talk we will focus on:

Managing API lifecycle changes by automating the migration from deprecated to supported APIs.
Discussing API evolution strategies and when they require assisted refactoring and when they don’t.
*Integrating OpenRewrite into API-first development to ensure client code is always up-to-date with ease.

In the fast-moving world of API development, the right tools can make all the difference—especially in the age of AI. As automation accelerates and complexity grows, it’s never been more important to equip your teams with tools that support clarity, consistency, and velocity. This session explores a curated set of essential tools that every API practitioner should know—spanning the entire API lifecycle. From design and development to governance, documentation, and collaboration, we’ll highlight solutions that boost productivity and support scalable, AI-ready API practices. Whether you're refining your stack or starting from scratch, this toolkit will help you deliver better APIs, faster.

Join to discover how this essential toolkit can empower your API journey, enhancing productivity and ensuring optimal performance throughout the API lifecycle.

In an era where digital transformation and AI adoption are accelerating across every industry, the need for consistent, scalable, and robust APIs has never been more critical. AI-powered tools—whether generating code, creating documentation, or integrating services—rely heavily on clean, well-structured API specifications to function effectively. As teams grow and the number of APIs multiplies, maintaining design consistency becomes a foundational requirement not just for human developers, but also for enabling reliable, intelligent automation. This session explores how linting and reusable models can help teams meet that challenge at scale.

We will explore API linting using the open-source Spectral project to enable teams to identify and rectify inconsistencies during design. In tandem, we will navigate the need for reusable models—recognizing that the best specification is the one you don’t have to write or lint at all! These two approaches not only facilitate the smooth integration of services but also foster collaboration across teams by providing a shared, consistent foundation.

In today’s fast-paced development environment, delivering robust and efficient APIs requires a streamlined design process that minimizes delays and maximizes collaboration. Mocking has emerged as a transformative tool in the API design lifecycle, enabling teams to prototype, test, and iterate at unprecedented speeds.

This talk explores the role of mocking in enhancing API design workflows, focusing on its ability to:

1.Facilitate early stakeholder feedback by simulating API behavior before development.
2.Enable parallel development by decoupling frontend and backend teams.
3.Identify design flaws and inconsistencies earlier, reducing costly downstream changes.
4.Support rapid iteration and experimentation without impacting live systems.

Using real-world examples and best practices, we’ll demonstrate how tools like Prism and WireMock can be leveraged to create mock APIs that enhance collaboration, improve quality, and dramatically accelerate development timelines. Attendees will leave with actionable insights on integrating mocking into their API design lifecycle, fostering innovation and speed without compromising reliability.

As organizations increasingly rely on APIs to power digital transformation, the need for consistent, scalable, and secure API management has become critical. However, implementing effective API governance is a complex endeavor fraught with challenges that span technical, organizational, and cultural dimensions.

This talk delves into the multifaceted challenges of API governance, including:

1.Balancing standardization with flexibility to accommodate diverse use cases.
2.Aligning cross-functional teams with varying priorities and levels of API maturity.
3.Ensuring compliance with evolving security, privacy, and regulatory standards.
4.Overcoming resistance to change and fostering a culture of accountability.
5.Integrating governance processes without stifling innovation or agility.

Drawing on over 10 years of experience dedicated exclusively to API strategy, governance, and implementation across industries, the presenter will share actionable insights and proven strategies for addressing these challenges. Attendees will gain practical tools to define clear governance frameworks, leverage automation, and promote stakeholder alignment, ensuring scalability, reliability, and long-term success in a rapidly evolving API ecosystem.

There's a clear need for security in the software systems that we build. The problem for most organizations is that they don't want to spend any money on it. Even if they did, they often have no idea how much to spend. No particular initiative is likely to imbue your system with “security”, but a strong, deep defensive approach is likely to give you a fighting chance of getting it right.

Web Security as applied to APIs in particular are an important part of the plan. In this workshop, we'll show you how approaches to defining “enough” as well as concrete techniques to employ incrementally in your designs.

In this workshop, we will pick a hands on framework for implementation, but the ideas will generally be standards-based and transcend technology choice so you should have a strategy for mapping the ideas into your own systems.

We will cover a broad range of topics including:

The concepts behind Building Security in
Designing for Security
Authentication and Authorization Strategies
Identity Management
Protecting Data in transit
Protecting Data at rest
Frameworks for selecting security features
Attack and Threat Models for APIs

We will cover a broad range of topics including:

The concepts behind Building Security in
Designing for Security
Authentication and Authorization Strategies
Identity Management
Protecting Data in transit
Protecting Data at rest
Frameworks for selecting security features
Attack and Threat Models for APIs

API security goes beyond protecting endpoints—it requires defense across infrastructure, data, and business logic. In this talk, I’ll present a structured approach to implementing Zero Trust security for APIs in a cloud-native architecture.

We’ll cover how to establish a strong foundation across layers—using mTLS, OAuth2/JWT, policy-as-code (OPA), GitOps for deployment integrity, and cloud-native secrets management. The session addresses real-world threats like misconfigurations, privilege escalation, and API abuse, and shows how to mitigate them with layered controls in Kubernetes-based environments on Azure and AWS.

Attendees will walk away with actionable practices to secure their API ecosystem end-to-end— without slowing development teams down.

In this session, I’ll walk through how we helped a large enterprise address fragmented API
practices and inconsistent governance by building a platform-first approach to API delivery.

Teams were deploying microservices independently on Azure Kubernetes Service (AKS) with no consistent routing, security, or visibility. We implemented a GitOps-powered framework that allowed teams to integrate a lightweight, Kubernetes-native gateway with their services, while inheriting organizational standards like rate limiting, JWT auth, routing consistency, and metadata tagging—without any manual ticketing or bottlenecks.
The platform approach enabled decentralized development with centralized governance,
accelerating service onboarding while ensuring every API remains secure, discoverable, and compliant by design.

This pair of presentations (90 mins each) teaches you how to leverage AI tools like ChatGPT to optimize the design, documentation, and testing of web APIs. As AI becomes increasingly crucial in software development, this course will equip you to integrate AI-assisted automation into human-driven API design.

By the end of this two part workshop, you will be able to leverage AI to generate structured API documentation, automate security profiling, and produce comprehensive API test scripts, significantly improving efficiency and accuracy. Participants will see real-world exercises, including AI-assisted vocabulary extraction, OpenAPI generation, and automated test scripting, to gain practical experience in AI-powered API development.

Workshop Objectives:

  How AI can assist in API development, from design to testing.  

  Methods to extract API vocabulary using AI from user stories.  

  How to generate OpenAPI specifications with minimal manual effort. 

  Techniques to automate the creation of human-friendly API documentation. 

  How AI can assist in identifying security risks and generating security profiles.  

  Best practices for using AI-generated API test scripts.  

  How to integrate AI-driven automation into an API development workflow.

Part 1 : Basics of AI-Driven API Design

  Course Introduction

  Course Outline

  Goals and format

  "Play-along" with the repo

  Design Basics

  Story

  Vocabulary

  Diagram

  Description

  Definition

  AI Prompt / Context Engineering

  Conversation

  Context

  Memory

  Tips

  Authoring API Stories

  Stories are shared understanding

  Parts of an API Story

  Iterating on your API Story

  Exercise: The Task Management API Story

  Generating ALPS Design Docs

  Information Architecture

  Application-Level Profile Semantics

  ALPS Basics

  Exercise: Generating Designs with API Stories

  Generating OpenAPI Documents

  A formal standard for describing HTTP APIs.

  Common way to describe implementations

  Common platform for tooling

  Shared practice for building 

  Exercise: Generating AopenAPI

By the end of the workshop, you will be able to leverage AI to generate structured API documentation, automate security profiling, and produce comprehensive API test scripts, significantly improving efficiency and accuracy. Participants will see real-world exercises, including AI-assisted vocabulary extraction, OpenAPI generation, and automated test scripting, to gain practical experience in AI-powered API development.

Course Objectives:

  How AI can assist in API development, from design to testing.  

  Methods to extract API vocabulary using AI from user stories.  

  How to generate OpenAPI specifications with minimal manual effort. 

  Techniques to automate the creation of human-friendly API documentation. 

  How AI can assist in identifying security risks and generating security profiles.  

  Best practices for using AI-generated API test scripts.  

  How to integrate AI-driven automation into an API development workflow.

Extending your AI-Driven API Design Experience

  Part 1 Quick Review

  API Design Basics

  AI Prompt Engineering

  Authoring API Stories

  Generating ALPS Design Docs

  Generating OpenAPI Documents

  Generating API Documentation

  What are Docs?

  Who uses them?

  Basic Elements of API Docs

  Exercise: Generate starter documentation

  Generating a Working Prototype

  What is a Prototype?

  Why use them?

  Prototype Essentials

  Exercise: Generate a NodeJS prototype

  Generating API Tests

  "Outside-In" testing

  Validating inputs/outputs

  Confirming Interface Behavior

  Exercise: Generating API Tests

  Generating Security Profiles

  API Security Basics

  RBAC to the rescue

  Modifying Existing Design Assets

  Exercise: Update Story, Generate Profile, regenerate, other assets

  Course Review and Next Steps

  Review Part 1 (design, AI, ALPS, & OpenAPI)

  Review Part 2 (docs, code, tests, & security)

  What Next?

This session covers key skills for creating consistently successful APIs and simple tools that you can use to turn those skills into working models, sketches, and running code.

Based on the book “Design and Build Great APIs”, this presentation shows the important balance between designing, building, and releasing APIs and how to create a consistent process for your company that ensures your API teams produce quality APIs that developers can easily use to provide timely business solutions for your organization.

You'll learn now to:

  Write API stories

  Diagram APIs with Web Sequence Diagrams

  Describe APIs with ALPS Profiles

  Generate multiple working API Sketches with API Blueprint

  Select a candidate sketch to Prototype with OpenAPISpec

  Build a fully-functional API using NodeJS, Express, and the DARRT framework

  Test APIs with Postman and Newman

  Deploy your API to production

Modern HTTP APIs power today’s connected world, acting as the core interface not only for developers, but also for the ever-growing ecosystem of machines, services, and now AI agents. As every organization is increasingly expected to produce and consume APIs at scale, the ability to design, build, deploy, and operate consistent, high-quality APIs has become a key competitive differentiator. With AI accelerating the need for composable, well-structured, and discoverable interfaces, API maturity is no longer optional—it’s essential. However, building and scaling effective API Design First practices across an enterprise is still fraught with manual processes, inconsistent standards, and slow governance models. To succeed, organizations must reimagine API Governance as a strategic enabler—one that prioritizes collaboration, stewardship, and automation.

In this session, we’ll explore the core stages of the API design lifecycle and share how to implement practical, modern governance models that increase productivity without sacrificing control. Drawing on real-world examples from SPS Commerce, as well as off-the-shelf tooling and custom solutions, we’ll show how to align your teams, accelerate delivery, and produce APIs that are robust, reusable, and ready for both human and AI consumers.

PIs built for humans often fail when consumed by AI agents. They rely on documentation instead of contracts, return unpredictable structures, and break silently when upgraded. Large Language Models (LLMs) and autonomous agents need something different: machine-discoverable, deterministic, idempotent, and lifecycle-managed APIs.
This session introduces a five-phase API readiness framework—from discovery to deprecation—so you can systematically evolve your APIs for safe, predictable AI consumption. You’ll learn how to assess current APIs, prioritize the ones that matter, and apply modern readiness practices: function/tool calling, schema validation, idempotency, version sunset headers, and agent-aware monitoring.

Problems Solved

LLMs fail due to polymorphic or unpredictable API responses
Agents retry or loop because APIs aren’t idempotent
Ambiguous error messages block autonomous remediation
Silent breaking changes halt long-lived agent integrations
Lack of lifecycle management creates risk and rework

What “AI-Readiness” Means

Machine-Discoverable: APIs described in OpenAPI 3.1 + JSON Schema; self-describing operations and data types.
Deterministic: Same input → same output shape; no hidden conditional payloads.
Idempotent: Safe retries using Idempotency-Key or request signature patterns.
Guardrailed: Strict schema validation, quota enforcement, and prompt-injection defense.
Lifecycle Managed: Semantic versioning, Deprecation/Sunset headers, contract testing, and migration guides.

Common Failure Modes Today

Polymorphic responses that confuse function-calling agents.
Ambiguous errors without remediation guidance.
Non-idempotent endpoints causing duplicate orders or charges.
Hidden side effects undocumented or triggered by retries.
Breaking changes without warning → agents silently fail.

Agenda
Introduction: The Shift from Human → Machine Consumption Why LLMs and agents fundamentally change API design expectations. Examples of human-centric patterns that break agent workflows.
Pattern 1: Assessment & Readiness Scorecard How to audit existing APIs for AI-readiness. Scoring dimensions: discoverability, determinism, idempotency, guardrails, lifecycle maturity. Sample scorecard matrix and benchmark scoring.
Pattern 2: Prioritization Strategy How to choose where to start:

High traffic + high risk first (payments, claims, healthcare, orders)
Partner/customer-facing before internal
Regulated domains (HIPAA, PCI, SOX) before unregulated
Consolidate schema, security, and idempotency changes together
Pattern 3: Five-Phase Readiness Roadmap
Discovery: Audit specs, tag agent traffic, document gaps.
Redesign: Harden schemas, fix errors, add idempotency keys and prompt-injection defenses.
Versioning: Adopt SemVer, support multiple versions, and emit Deprecation/Sunset headers.
Monitoring: Track agent vs human usage, retries, anomalies, cost attribution.
Deprecation: Communicate timelines, throttle old versions, enable fallback modes.
Pattern 4: Security & Guardrails Inject prompt-defense filters at the edge. Schema validation and rate-limiting. Automated regression testing against contract schemas to ensure safety.
Pattern 5: Case Studies
Stripe Idempotency: Eliminating duplicate charges with the Idempotency-Key pattern.
Deprecation Done Right: APIs that use Sunset headers for graceful agent migration.
Agent Tool Example: Mapping operationId=ReserveInventory directly to an LLM tool schema.
Wrap-Up & Discussion Recap of framework and quick wins. Using the Readiness Scorecard and KPI checklist to measure progress from human-centric APIs → agent-ready APIs. Discussion on embedding readiness audits in CI/CD governance.

Key Framework References

OpenAPI 3.1 + JSON Schema: Machine-readable API contracts
FinOps + AI Cost Governance: Tagging and metering agent usage
OWASP LLM Top 10: Prompt-injection and misuse defenses
API Lifecycle Standards: RFC 8594 (Deprecation), RFC 9457 (Sunset Header)
ISO/IEC 38507: Governance implications for AI-integrated systems

Takeaways

API Readiness Scorecard to evaluate current maturity
5-phase modernization roadmap: Discovery → Redesign → Versioning → Monitoring → Deprecation
Checklist + KPIs to align API modernization with AI readiness
Case patterns demonstrating resilient, agent-safe API evolution

AI agents don’t behave like humans. A single prompt can trigger thousands of parallel API calls, retries, and tool chains—creating bursty load, cache-miss storms, and runaway costs. This talk unpacks how to design and operate APIs that stay fast, reliable, and affordable under AI workloads. We’ll cover agent-aware rate limiting, backpressure & load shedding, deterministic-result caching, idempotency & deduplication, async/event-driven patterns, and autoscaling without bill shock. You’ll learn how to tag and trace agent traffic, set SLOs that survive tail latency, and build graceful-degradation playbooks that keep experiences usable when the graph goes wild.

Why scaling is different with AI

Bursty, spiky traffic from tool-chaining and agent loops
High fan-out per request → N downstream calls per prompt
Non-stationary patterns (time-of-day + product launches + model changes)
Cost correlates with requests × context × retries, not just QPS

Failure modes to expect (and design for)

Cache-miss storms after deploy/flush; thundering herds on hot keys
Retry amplification (agents + gateways + SDKs all retry)
Unbounded concurrency → DB saturation, queue buildup, 99.9th pct tail spikes
“Version drift” between agents and APIs → malformed or expensive calls

Traffic control & fairness

Multi-dimensional rate limits: per-tenant, per-agent, per-tool, per-chain
Budget-aware throttling: cap by token/$ budget, not just requests
Adaptive backpressure: shed or downgrade when saturation signals trip
Fair queuing: prevent “noisy” agents from starving others

Resilience patterns

Idempotency keys + deduplication for writes & retries
Circuit breakers & bulkheads around fragile dependencies
Timeouts with jitter + bounded retries (server hints for clients)
Graceful degradation: return partials, cached/stale, queued-async receipts

Caching that actually works for AI

Deterministic-result caching (prompt+params hash)
Shard & tier caches (memory → Redis → CDN/edge) + TTL tuned to freshness
Negative caching to suppress repeated failures
Stale-while-revalidate to tame cache-miss storms

Async & event-driven designs

Queue first for heavy/long-running tasks (workflows > request/response)
Outbox/Saga patterns for consistency across services
Streaming APIs for incremental results; webhooks/callbacks for completion
Backlogs with priorities (gold/silver/bronze) and dead-letter policies

Autoscaling without bill shock

Pick the right compute: provisioned concurrency for cold-start-sensitive paths; on-demand for bursty tools
KEDA/HPA on meaningful signals (RPS, lag, token usage, queue depth)
Guardrails: max concurrency per tenant, per region; budget limits with kill-switches
Multi-region strategy: active-active for reads; controlled writes with leader/follower or per-tenant pinning

Observability & cost governance

Tag human vs agent traffic; propagate chain-ID / tool-ID across spans
Golden signals + tail-latency SLOs (p95/p99), not just averages
Attribution: per-tenant/per-agent cost & cache hit rate; anomaly alerts on $/request
Workload forensics: detect loops, entropy spikes, unusual tool mixes

Testing & readiness

Property-based & fuzz tests for tool payloads
Replay traffic with elevated fan-out to validate limits & caches
Chaos & load testing at dependency edges (DB, vector store, model API)
Stepped rollouts with automatic rollback on SLO breach

Runbooks & playbooks

Cache-miss storm → warmers + SWR + temporary TTL bump
Retry storm → clamp retries, raise backoff, enable dedupe window
Cost spike → lower budgets, switch to cheaper tier/model, enable result reuse
Dependency brownout → feature flags to serve partials or stubbed results

Deliverables for attendees

Idempotency & retry checklist
Rate-limit/budget policy template (per-tenant/per-chain)
Cache-key & SWR guide for deterministic responses
Incident playbooks (cache storm, retry storm, dependency brownout)

Learning Objectives (Takeaways)

Design for bursty AI traffic with budget-aware rate limits, fair queuing, and adaptive backpressure.
Harden reliability using idempotency, deduplication, circuit breakers, timeouts, and bulkheads.
Cut latency & cost via deterministic-result caching, SWR, and shard/tiered cache strategies.
Operate with confidence by tagging agent traffic, tracing chain-IDs, and enforcing tail-latency SLOs.
Adopt async/event-driven patterns (queues, workflows, streaming) to keep UX snappy under heavy AI load.
Ship safe with realistic load/chaos tests, stepped rollouts, and incident playbooks ready to go.

A client once asked me to take a team that was new to REST, Agile, etc. and put together a high profile, high value commerce-oriented API in the period of six months. In the process of training the team and designing this API, I hit upon the idea of providing rich testing
coverage by mixing the Behavior-Driven Design testing approach with REST.

In this talk, I will walk you through the idea, the process, and the remarkable outcomes we achieved. I will show you how you can benefit as well from this increasingly useful testing strategy. The approach makes it easy to produce tests that are accessible to business analysts and other stakeholders who wouldn't understand the first
thing about more conventional unit tests.

Behavior is expressed using natural language. The consistent API style minimizes the upfront work in defining step definitions. In the end, \you can produce sophisticated coverage, smoke tests, and more that exercise the full functionality of the API. It also produces another organizational artifact that can be used in the future to migrate to
other implementation technologies.