Basics of API Security
Explore the core concepts of API security by understanding identity verification, access control, and encryption. Learn how OAuth and JWT protocols work together to secure API calls and how to implement these standards to protect your web services from unauthorized access.
Securing an API
In this chapter, we’ll learn how to secure an API. API security consists of three key elements: identity, access control, and encryption. We’ll explore each one in turn and then focus on a solution for implementing each of them in a direct way.
After we review the security basics, we’ll dive into implementing them via standards called OpenAuth (OAuth) and JSON Web Token (JWT). OAuth is a protocol for requesting and sharing access control information for a particular user or machine. JWT is a standard way of representing access control in the form of a token. When used together, we can easily add security features to our API in an independent and standardized way.
Understanding security basics
The key to understanding API security is to focus on two related elements: identity and access control. These work at the API level. In other words, when we’re implementing the API, we need to decide if and when we’ll apply identity and access control checks.
It’s also important to understand the role of encryption as an additional layer of security. For HTTP-based APIs, this works at the protocol level. The most common way to recognize the use of encryption on the web is through the use of the HTTPS identifier (called a URI scheme) instead of the HTTP identifier in our URLs.
These two items—identity/access control and encryption—can also work independently of one another. In this first half of the chapter, ...