API Integration for Companies: Connecting ERP, CRM, Webshop and Excel
When the same order is retyped three times, that is not a staffing problem but an integration problem. How to connect systems without building a new chaos.
In many mid-sized companies integration looks like this: an order arrives in the webshop, gets transferred into an Excel list, is typed from there into the ERP, and the customer is maintained manually in the CRM. Four systems, the same information, retyped three times — and every typo is now official.
That is not a staffing problem. It is an integration problem. And it is not solved by more discipline but by clean interfaces.
Why data silos are more expensive than they look
The cost of duplicate data entry appears on no invoice. It hides in typos, in "which number is right now", in hours nobody books, and in decisions based on outdated exports. Precisely because the cost is invisible, it is carried for years.
DORA's 2024 Accelerate State of DevOps Report shows what good integration achieves: shorter cycle times and more stable processes emerge when information flows without manual breaks — not through more people mediating between systems.
The Excel bridge is an API — just a bad one
The Excel export that travels through the building by email is the current interface between your systems. It is just manual, unversioned, error-prone and not available at 2 a.m. Integration does not replace this bridge with something new — it replaces a bad interface with a reliable one.
Four principles of clean integration
1. One source of truth per data type
Before any interface comes a decision: which system "owns" the customer, which the order, which the article? Without that, you synchronize conflicts, not data.
2. An interface instead of point-to-point sprawl
Wiring four systems directly gives twelve brittle connections. A central API layer everything hangs off gives four — and that same layer later carries modernization (see Legacy modernization without a big bang).
3. Plan for failure, don't wish it away
A target system will be unreachable at some point — that is certain, not unlikely. Good integration has retry, ordering and a visible log. Bad integration loses the order silently.
4. Security is part of the interface, not an add-on
APIs connect systems — and open them. The OWASP API Security Top 10 lists broken object-level authorization (BOLA) as risk number one; a large share of API attacks targets exactly that. Whoever builds interfaces without an authorization model integrates systems and their attack surface in one go.
Real time is not always the goal
Not every connection has to be synchronous in milliseconds. A nightly, reliable reconciliation is often better than a fragile real-time coupling that blocks the whole process on every hiccup of one system. The right question is not "how fast" but "how reliable and how current does it really need to be".
Security does not end at the API
A connected system landscape is only as secure as its weakest interface. Whoever integrates systems should have the attack surface deliberately tested instead of inheriting it (see Penetration testing for web applications). The BSI report classifies untested interfaces and dependencies as a persistent risk.
Checklist before integration
- Is a source of truth defined per data type?
- Are we building a central interface instead of point-to-point sprawl?
- Are failure case, retry and log planned?
- Is an authorization model part of the API, not an afterthought?
- Is it clarified how current data really needs to be?
- Is the integration's attack surface tested?
- Does the interface later also carry modernization?
Frequently asked questions
Do we have to retire our legacy systems to integrate? No. An API layer goes in front of the legacy system. Integration and later modernization use the same layer — without downtime.
Isn't a nightly Excel export enough? As a deliberately chosen, logged batch: sometimes yes. As an uncontrolled email with an attachment: no — that is the insecure variant of the same idea.
What does an integration cost? Less than the invisible cost of duplicate data entry over two years — but only if the source of truth is clarified first. Otherwise you just integrate chaos faster.
Do we need real time? Rarely everywhere. Mostly "reliable and current enough" is fine. Real time where a decision truly depends on it.
Conclusion
API integration is not a technical project but a decision about truth, reliability and security. Whoever defines a source of truth, builds a central interface, plans for failure and takes authorization seriously replaces the Excel bridge with a system that also works at 2 a.m.
Further reading
- Web App with Next.js: Developing a B2B Portal — where integrations visibly converge.
- Penetration Testing for Web Applications: Process and Value — testing the attack surface of connected systems.
Next step
Is the same information retyped multiple times at your company? Start with a short assessment of your requirements. We clarify the source of truth and cut a first, reliable interface.
Sources
- DORA, Accelerate State of DevOps Report 2024 — dora.dev
- OWASP, API Security Top 10 (2023) — owasp.org
- BSI, The State of IT Security in Germany — bsi.bund.de