API Development & Integration: Process, Cost, Security & Examples
At a Glance - API Development & Integration (2026)
- Primary use cases: Connect web/mobile apps to backends, payment gateways, ERP, CRM, logistics carriers
- Default design: REST + OpenAPI for public/partner APIs · GraphQL when clients need flexible queries · gRPC for internal microservices
- Auth: OAuth 2.0 / JWT for user APIs · API keys + HMAC for server-to-server · mTLS for high-trust B2B
- Documentation: OpenAPI 3.x spec · Postman collection · changelog per version
- Typical build (Sri Lanka): Single integration LKR 80K-250K · custom API module LKR 400K-2M · multi-system platform LKR 2M-8M+
- Non-negotiable: HTTPS, input validation, webhook idempotency, rate limits, audit logs on money/data mutations
Introduction
API development and integration services connect your product to everything else it depends on: payment gateways, warehouse systems, CRM records, courier tracking, and internal databases. In 2026, Sri Lankan businesses rarely need a standalone "API project" - they need reliable system integration services that keep orders, stock, invoices, and customer data in sync without manual re-entry.
This guide covers API integration Sri Lanka buyers should use to scope work: integration types, design choices (REST vs GraphQL vs gRPC), authentication patterns, documentation and testing expectations, pricing factors, and real examples (payments, ERP, CRM, logistics). For delivery process and contracts, see custom software development Sri Lanka. For outsourcing engagement models, see IT outsourcing Sri Lanka.
Integration Types
Match the integration pattern to data direction and who owns the system of record.
| Type | What it does | Example |
|---|---|---|
| Inbound (consume) | Your app calls a third-party API | PayHere checkout, Google Maps, SMS gateway |
| Outbound (expose) | Partners or mobile apps call your API | Franchisee ordering API, partner stock feed |
| Bidirectional sync | Two systems stay aligned on shared entities | Shopify orders ↔ ERP sales orders |
| Webhook / event | Push notifications on state change | Payment settled → mark order paid |
| Batch / ETL | Scheduled file or bulk API import | Nightly price list from supplier CSV |
| Legacy bridge | Modern app talks to old DB or SOAP service | REST facade over on-prem accounting DB |
API Design Choices
Custom API development starts with picking the right style - not the trendiest one. Most Sri Lankan SME and mid-market projects default to REST + JSON unless there is a clear reason to add GraphQL or gRPC.
| Style | Best for | Trade-off |
|---|---|---|
| REST | Public/partner APIs, CRUD, mobile backends | Over-fetching on complex graphs; versioning discipline required |
| GraphQL | Mobile apps with varied screens, BFF layer | Query cost control, caching complexity - see GraphQL vs REST |
| gRPC | Internal microservice calls, high-throughput workers | Browser-unfriendly without gateway; protobuf toolchain |
| Webhooks | Async partner events (payments, shipments) | Must handle retries, signatures, idempotency |
REST conventions we enforce
- Resource URLs:
GET /api/v1/orders/{id}- nouns, not verbs - Correct HTTP status codes: 201 on create, 409 on conflict, 422 on validation
- Pagination:
?page=2&limit=20or cursor-based for large feeds - Version in path (
/v1/) with documented deprecation window - Consistent error envelope:
code,message,fieldfor validation errors
Authentication & Authorization
Auth is where integrations fail in production - not in the happy-path demo. Pick one primary model per API surface.
| Pattern | Use when | Notes |
|---|---|---|
| OAuth 2.0 + JWT | User-facing mobile/web apps | Short-lived access tokens; refresh rotation; scope per role |
| API keys | Server-to-server, internal tools | Rotate keys; never in client-side code; rate limit per key |
| HMAC signatures | Webhooks (PayHere, couriers) | Verify on raw body; reject replayed timestamps |
| mTLS | Bank, insurer, high-trust B2B | Certificate lifecycle and renewal planning |
Broader security checklist: cybersecurity Sri Lanka · cybersecurity services.
API Documentation
Documentation is part of the deliverable - not a PDF afterthought. Good docs cut integration time for your team and partners.
- OpenAPI 3.x - machine-readable spec; generates Swagger UI and client SDKs
- Postman collection - pre-filled examples with auth and environment variables
- Changelog - per API version; breaking changes flagged 30+ days ahead
- Sandbox credentials - separate from production; sample payloads for each endpoint
- Error catalogue - every
codewith remediation steps
Deeper GraphQL schema design: GraphQL API development guide.
API Testing & Release Gates
APIs without automated tests become expensive to change. Minimum bar before production:
| Layer | What to test | Tools |
|---|---|---|
| Contract | Request/response schema matches OpenAPI | Dredd, Schemathesis, openapi-diff on PR |
| Integration | DB writes, auth, webhook handlers | Vitest/Jest + test DB; sandbox provider keys |
| Load | p95 latency and error rate at peak QPS | k6, Locust - run before Black Friday / campaign launches |
| Security | Auth bypass, IDOR, injection on new routes | OWASP ZAP on staging; manual IDOR checklist |
Full QA strategy: software testing best practices · CI wiring: DevOps & CI/CD Sri Lanka.
Related reading: Payments: PayHere integration guide · Microservices: microservices patterns · Go APIs: Golang backend guide.
API development and integration, scoped and tested
Hashtag Coders - custom REST/GraphQL APIs, payment and ERP connectors, OpenAPI docs, and CI release gates for Sri Lankan and international clients.
Pricing Factors (Sri Lanka, 2026)
Quotes depend on endpoints, auth complexity, number of external systems, and whether you need ongoing monitoring - not "per API" alone. Jaffna teams often quote 15-25% below Colombo for equivalent scope.
| Scope | Typical deliverables | LKR (indicative) | Timeline |
|---|---|---|---|
| Single third-party integration | One provider (e.g. PayHere), webhooks, error handling, sandbox UAT | 80K-250K | 2-4 weeks |
| Custom API module | 10-25 endpoints, JWT auth, OpenAPI, tests, staging deploy | 400K-1.2M | 4-8 weeks |
| Multi-system integration hub | ERP + e-commerce + CRM sync, mapping layer, retry queues, admin dashboard | 1.5M-4M | 8-16 weeks |
| Enterprise / regulated | mTLS, audit logs, penetration test support, SLA monitoring | 3M-8M+ | 3-6 months phased |
Add-ons: API gateway setup (LKR 150K-400K) · observability stack (LKR 80K-200K) · annual maintenance LKR 120K-400K/year.
Integration Examples
Payments (PayHere, Stripe)
Checkout creates a server-side payment session; customer completes payment on hosted or embedded UI; webhook verifies signature before marking order paid. Idempotent handler prevents double-fulfilment on duplicate callbacks. Full provider comparison: payment gateway integration Sri Lanka.
ERP (inventory, invoicing)
E-commerce or POS pushes sales orders to ERP; ERP returns stock levels and invoice numbers. Map SKU codes explicitly - do not assume names match. Use a dead-letter queue for failed sync rows and an admin screen to replay. Often pairs with POS retail systems or e-commerce builds.
CRM (leads, customers)
Website forms and chatbots create leads in HubSpot, Zoho, or a custom CRM via API. Define field mapping, duplicate detection (email/phone), and consent flags for PDPA. Batch backfill for historical contacts is a separate scoped task.
Logistics (courier tracking)
On dispatch, create shipment with courier API; store tracking ID; poll or receive webhook for status (picked up, out for delivery, delivered). Customer portal reads status from your DB - not live courier calls on every page view.
Delivery Process (Hashtag Coders)
- Discovery (1-2 weeks): Systems diagram, data ownership, auth model, sandbox access
- Contract & mapping (1 week): Field mapping doc, error codes, SLAs per integration
- Build & test (2-10 weeks): API or connector code, OpenAPI, automated tests
- UAT with real sandboxes: Payment test cards, ERP test company, courier test AWBs
- Go-live & monitor: Alerting on webhook failures, latency, error rate
Stack choices: Node.js/Next.js API routes, Laravel, or Go - matched to your existing platform. See DevOps services for pipeline and monitoring setup.
Frequently Asked Questions
REST or GraphQL for our new mobile app?
Start REST unless screens need highly variable nested data from many resources in one call. GraphQL adds schema governance and query-cost controls - worth it for complex mobile clients, not for a five-endpoint MVP.
How long does PayHere integration take?
Hosted checkout with webhooks: typically 1-2 weeks development plus merchant KYC time with PayHere. Custom card flows or subscriptions take longer.
Do we need an API gateway?
Not on day one for a monolith. Add Kong, AWS API Gateway, or similar when you expose multiple microservices to partners or need central rate limiting and auth.
Who owns the API specification?
You should. Contract must hand over OpenAPI files, Postman collections, repository access, and environment documentation on final payment.
Can you integrate with our legacy on-prem ERP?
Yes - usually via a VPN-restricted bridge service, scheduled sync, or a REST wrapper over existing DB views. Scope depends on ERP documentation quality and write access policies.
Conclusion
API development and integration services succeed when design, auth, documentation, and testing are scoped together - not as an afterthought to a UI build. Use this guide to compare integration types, choose REST vs GraphQL vs gRPC honestly, and budget for webhooks, mapping layers, and monitoring. Match vendor quotes to the same deliverable list: endpoints, OpenAPI, tests, and sandbox UAT sign-off.