Grokking the Product Architecture Design Interview/

...

/

High-Level View of Security in APIs

High-Level View of Security in APIs

Learn about public and private APIs, along with cybersecurity models.

We'll cover the following...

Introduction

We have explored several topics on API security in this chapter. Before wrapping up, we’ll explore some significant concepts and models in the API security landscape. Studying these concepts will enable us to architect secure APIs. We’ll explain the following topics:

  • Scope of APIs: Discusses the types and users of APIs

  • Cybersecurity models: Security models that are applicable to APIs

These concepts aid in the overall security and functionality of APIs, so we’ll go over them before we end the chapter on security. Let's begin by examining the scopes of APIs.

Public and private APIs

When we examine APIs, there are two significant concerns regarding API consumers:

  • Who is the intended user of an API?

  • Where is the API made available, and where can someone access the API on the network?

These points may be referred to as the scope of the API, so let's expand on these concepts.

Intended users

There are three categories when we examine who an API is intended/designed for.

  • Private: These are intended for consumption for users inside the organization, such as employees. These still might be exposed outside of an organization because the company/business itself may have external components outside that require access. An example of such an API could be a messaging portal that the organization solely uses for communication. However, such APIs are not available to the general public.

  • Partner: These are APIs we design to communicate with established partners. The API is intended to be used outside the organization, perhaps in tandem with other APIs. The ...