Basics of API Security
Learn how to identify API users, control API access with authentication, and protect API traffic with encryption.
Securing an API
In this chapter, we’ll learn how to secure an API. API security consists of three key elements: identity, access control, and encryption. We’ll explore each one in turn and then focus on a solution for implementing each of them in a direct way.
After we review the security basics, we’ll dive into implementing them via standards called OpenAuth (OAuth) and JSON Web Token (JWT). OAuth is a protocol for requesting and sharing access control information for a particular user or machine. JWT is a standard way of representing access control in the form of a token. When used together, we can easily add security features to our API in an independent and standardized way.
Understanding security basics
The key to understanding API security is to focus on two related elements: identity and access control. These work at the API level. In other words, when we’re implementing the API, we need to decide if and when we’ll apply identity and access control checks.
It’s also important to understand the role of encryption as an additional layer of security. For HTTP-based APIs, this works at the protocol level. The most common way to recognize the use of encryption on the web is through the use of the HTTPS identifier (called a URI scheme) instead of the HTTP identifier in our URLs.
These two items—identity/access control and encryption—can also work independently of one another. In this first half of the chapter, we’ll focus on identity and access control and then discuss encryption. In the second half, ...