Software Development, Integration

API Development & Integration: Process, Cost, Security & Examples

25th February, 2026
Updated: 01st July, 2026
11 min read
Software Development, Integration
API DevelopmentREST APIGraphQLIntegrationMicroservicesSystem Integration
HC

Hashtag Coders

Software Engineers & Digital Strategists

At a Glance - API Development & Integration (2026)

  • Primary use cases: Connect web/mobile apps to backends, payment gateways, ERP, CRM, logistics carriers
  • Default design: REST + OpenAPI for public/partner APIs · GraphQL when clients need flexible queries · gRPC for internal microservices
  • Auth: OAuth 2.0 / JWT for user APIs · API keys + HMAC for server-to-server · mTLS for high-trust B2B
  • Documentation: OpenAPI 3.x spec · Postman collection · changelog per version
  • Typical build (Sri Lanka): Single integration LKR 80K-250K · custom API module LKR 400K-2M · multi-system platform LKR 2M-8M+
  • Non-negotiable: HTTPS, input validation, webhook idempotency, rate limits, audit logs on money/data mutations

Introduction

API development and integration services connect your product to everything else it depends on: payment gateways, warehouse systems, CRM records, courier tracking, and internal databases. In 2026, Sri Lankan businesses rarely need a standalone "API project" - they need reliable system integration services that keep orders, stock, invoices, and customer data in sync without manual re-entry.

This guide covers API integration Sri Lanka buyers should use to scope work: integration types, design choices (REST vs GraphQL vs gRPC), authentication patterns, documentation and testing expectations, pricing factors, and real examples (payments, ERP, CRM, logistics). For delivery process and contracts, see custom software development Sri Lanka. For outsourcing engagement models, see IT outsourcing Sri Lanka.

Integration Types

Match the integration pattern to data direction and who owns the system of record.

Type What it does Example
Inbound (consume) Your app calls a third-party API PayHere checkout, Google Maps, SMS gateway
Outbound (expose) Partners or mobile apps call your API Franchisee ordering API, partner stock feed
Bidirectional sync Two systems stay aligned on shared entities Shopify orders ↔ ERP sales orders
Webhook / event Push notifications on state change Payment settled → mark order paid
Batch / ETL Scheduled file or bulk API import Nightly price list from supplier CSV
Legacy bridge Modern app talks to old DB or SOAP service REST facade over on-prem accounting DB

API Design Choices

Custom API development starts with picking the right style - not the trendiest one. Most Sri Lankan SME and mid-market projects default to REST + JSON unless there is a clear reason to add GraphQL or gRPC.

Style Best for Trade-off
REST Public/partner APIs, CRUD, mobile backends Over-fetching on complex graphs; versioning discipline required
GraphQL Mobile apps with varied screens, BFF layer Query cost control, caching complexity - see GraphQL vs REST
gRPC Internal microservice calls, high-throughput workers Browser-unfriendly without gateway; protobuf toolchain
Webhooks Async partner events (payments, shipments) Must handle retries, signatures, idempotency

REST conventions we enforce

  • Resource URLs: GET /api/v1/orders/{id} - nouns, not verbs
  • Correct HTTP status codes: 201 on create, 409 on conflict, 422 on validation
  • Pagination: ?page=2&limit=20 or cursor-based for large feeds
  • Version in path (/v1/) with documented deprecation window
  • Consistent error envelope: code, message, field for validation errors

Authentication & Authorization

Auth is where integrations fail in production - not in the happy-path demo. Pick one primary model per API surface.

Pattern Use when Notes
OAuth 2.0 + JWT User-facing mobile/web apps Short-lived access tokens; refresh rotation; scope per role
API keys Server-to-server, internal tools Rotate keys; never in client-side code; rate limit per key
HMAC signatures Webhooks (PayHere, couriers) Verify on raw body; reject replayed timestamps
mTLS Bank, insurer, high-trust B2B Certificate lifecycle and renewal planning

Broader security checklist: cybersecurity Sri Lanka · cybersecurity services.

API Documentation

Documentation is part of the deliverable - not a PDF afterthought. Good docs cut integration time for your team and partners.

  • OpenAPI 3.x - machine-readable spec; generates Swagger UI and client SDKs
  • Postman collection - pre-filled examples with auth and environment variables
  • Changelog - per API version; breaking changes flagged 30+ days ahead
  • Sandbox credentials - separate from production; sample payloads for each endpoint
  • Error catalogue - every code with remediation steps

Deeper GraphQL schema design: GraphQL API development guide.

API Testing & Release Gates

APIs without automated tests become expensive to change. Minimum bar before production:

Layer What to test Tools
Contract Request/response schema matches OpenAPI Dredd, Schemathesis, openapi-diff on PR
Integration DB writes, auth, webhook handlers Vitest/Jest + test DB; sandbox provider keys
Load p95 latency and error rate at peak QPS k6, Locust - run before Black Friday / campaign launches
Security Auth bypass, IDOR, injection on new routes OWASP ZAP on staging; manual IDOR checklist

Full QA strategy: software testing best practices · CI wiring: DevOps & CI/CD Sri Lanka.

Related reading: Payments: PayHere integration guide · Microservices: microservices patterns · Go APIs: Golang backend guide.

API development and integration, scoped and tested

Hashtag Coders - custom REST/GraphQL APIs, payment and ERP connectors, OpenAPI docs, and CI release gates for Sri Lankan and international clients.

Contact Us Web Development Digital Transformation

Pricing Factors (Sri Lanka, 2026)

Quotes depend on endpoints, auth complexity, number of external systems, and whether you need ongoing monitoring - not "per API" alone. Jaffna teams often quote 15-25% below Colombo for equivalent scope.

Scope Typical deliverables LKR (indicative) Timeline
Single third-party integration One provider (e.g. PayHere), webhooks, error handling, sandbox UAT 80K-250K 2-4 weeks
Custom API module 10-25 endpoints, JWT auth, OpenAPI, tests, staging deploy 400K-1.2M 4-8 weeks
Multi-system integration hub ERP + e-commerce + CRM sync, mapping layer, retry queues, admin dashboard 1.5M-4M 8-16 weeks
Enterprise / regulated mTLS, audit logs, penetration test support, SLA monitoring 3M-8M+ 3-6 months phased

Add-ons: API gateway setup (LKR 150K-400K) · observability stack (LKR 80K-200K) · annual maintenance LKR 120K-400K/year.

Integration Examples

Payments (PayHere, Stripe)

Checkout creates a server-side payment session; customer completes payment on hosted or embedded UI; webhook verifies signature before marking order paid. Idempotent handler prevents double-fulfilment on duplicate callbacks. Full provider comparison: payment gateway integration Sri Lanka.

ERP (inventory, invoicing)

E-commerce or POS pushes sales orders to ERP; ERP returns stock levels and invoice numbers. Map SKU codes explicitly - do not assume names match. Use a dead-letter queue for failed sync rows and an admin screen to replay. Often pairs with POS retail systems or e-commerce builds.

CRM (leads, customers)

Website forms and chatbots create leads in HubSpot, Zoho, or a custom CRM via API. Define field mapping, duplicate detection (email/phone), and consent flags for PDPA. Batch backfill for historical contacts is a separate scoped task.

Logistics (courier tracking)

On dispatch, create shipment with courier API; store tracking ID; poll or receive webhook for status (picked up, out for delivery, delivered). Customer portal reads status from your DB - not live courier calls on every page view.

Delivery Process (Hashtag Coders)

  1. Discovery (1-2 weeks): Systems diagram, data ownership, auth model, sandbox access
  2. Contract & mapping (1 week): Field mapping doc, error codes, SLAs per integration
  3. Build & test (2-10 weeks): API or connector code, OpenAPI, automated tests
  4. UAT with real sandboxes: Payment test cards, ERP test company, courier test AWBs
  5. Go-live & monitor: Alerting on webhook failures, latency, error rate

Stack choices: Node.js/Next.js API routes, Laravel, or Go - matched to your existing platform. See DevOps services for pipeline and monitoring setup.

Frequently Asked Questions

REST or GraphQL for our new mobile app?

Start REST unless screens need highly variable nested data from many resources in one call. GraphQL adds schema governance and query-cost controls - worth it for complex mobile clients, not for a five-endpoint MVP.

How long does PayHere integration take?

Hosted checkout with webhooks: typically 1-2 weeks development plus merchant KYC time with PayHere. Custom card flows or subscriptions take longer.

Do we need an API gateway?

Not on day one for a monolith. Add Kong, AWS API Gateway, or similar when you expose multiple microservices to partners or need central rate limiting and auth.

Who owns the API specification?

You should. Contract must hand over OpenAPI files, Postman collections, repository access, and environment documentation on final payment.

Can you integrate with our legacy on-prem ERP?

Yes - usually via a VPN-restricted bridge service, scheduled sync, or a REST wrapper over existing DB views. Scope depends on ERP documentation quality and write access policies.

Conclusion

API development and integration services succeed when design, auth, documentation, and testing are scoped together - not as an afterthought to a UI build. Use this guide to compare integration types, choose REST vs GraphQL vs gRPC honestly, and budget for webhooks, mapping layers, and monitoring. Match vendor quotes to the same deliverable list: endpoints, OpenAPI, tests, and sandbox UAT sign-off.

Ready to get started?

Turn these insights into real results for your business

Hashtag Coders specialises in delivering exactly the solutions discussed in this article. Let's talk about your project - the first consultation is completely free.

No commitment requiredFree initial consultationServing clients in Sri Lanka & globallyTransparent pricing