Search⌘ K
AI Features

API Design Security - II

Explore essential API security concepts including authentication and authorization mechanisms, from HTTP Basic and API keys to JWTs and OAuth 2.0 frameworks. Understand OpenID Connect, SAML, and cybersecurity models like Zero Trust and WAAP. This lesson helps you design secure APIs while balancing performance and protecting against evolving threats across public and private API scopes.

Authentication and authorization

API security hinges on two complementary mechanisms:

  • Authentication verifies who the user is, typically via credentials like usernames and passwords. APIs can also use additional techniques, which well explore below.

  • Authorization controls what an authenticated user can access. A user may be authorized to view a Google Doc but not edit it.

Consider a banking API: without authentication, an impostor could access another user's account. Without authorization, there would be no way to enforce that individual users and organizational accounts have different privilege levels, such as access to different functions or rate-limited API calls.

HTTP basic authentication

HTTP basic authentication is the simplest scheme: it encodes the client's username and password in Base64 and includes the result in the Authorization header. For a user "Bob" with the password "thefarmer," the header value follows a set template:

Authorization: Basic Qm9iOnRoZWZhcm1lcg==

Note: The Authorization request header represents the username and password as Bob:thefarmer, encoded in Base64. The Basic keyword before the encoded text signifies basic authentication.

The client sends its request
1 / 4
The client sends its request

The flow proceeds as follows:

  1. The client sends a request to the server.

  2. The server cannot authenticate the client, rejects the request, and returns a WWW-Authenticate response header that prompts for credentials.

  3. The client resends the request with its Base64-encoded username and password in the Authorization header.

  4. The server verifies the credentials and allows the request through.

1.

What is the purpose of the realm keyword in the WWW-Authenticate header?

Show Answer
1 / 2

The advantages and disadvantages of HTTP basic authentication are as follows:

HTTP Basic Authentication Advantages and Disadvantages

Authentication Mechanism

Advantages

Disadvantages


HTTP basic authentication


  • Simplest of all authentication methods
  • The client's password will have to be forwarded on every API call, increasing its chances of being intercepted by an attacker
  • Overhead due to authenticating the client for every request
  • Credentials are encoded instead of being encrypted


Because of these drawbacks, HTTP Basic authentication has largely fallen out of use in APIs.

API keys

API keys address these shortcomings by replacing encoded credentials with a uniquely generated string that the API provider issues to each consumer or application. API keys identify the application, not the end user, so they require additional security measures for safe transmission and are typically used alongside other authentication mechanisms.

Note: API keys can't authenticate end users, only the application sending the request. For end-user authentication, they're typically used alongside other protocols.

Key-generation methods vary. Some APIs produce random strings with additional encoding and padding, while others increase the bit length to reduce predictability and expand the key space. The goal is always to generate unique, unguessable keys. Heres an example of what an API key might look like:

znri4QCgaBmYA4Sdsf45SEBPSrPQF7Ow7Uffd7

With API key authentication, the application includes its assigned key in a request header. The server looks up the key in its database to verify the application. An example of API key generation is shown below:

The application sends a request to generate its API key
1 / 4
The application sends a request to generate its API key

API keys offer several benefits over HTTP Basic authentication:

  • Applications can hold multiple keys per account.

  • Keys can be refreshed and regenerated easily.

  • Because the key is separate from the users credentials, a compromised key does not expose the users password.

  • Keys can be revoked immediately if compromised.

Keeping API keys secret is critical. If an attacker obtains one, the server cannot distinguish the attacker from the legitimate application.

Why is HTTP Basic authentication considered stateless, and what are the trade-offs related to system simplicity, security, and usability?

Use the AI assessment widget below to submit your solution and get an interactive response.

HTTP Basic Authentication

The advantages and disadvantages of API keys are as follows:

API Keys Advantages and Disadvantages

Authentication Mechanism

Advantages

Disadvantages



API keys


  • Preferred for their simplicity
  • Multiple keys can be made from the same master account
  • Better security in comparison with HTTP basic authentication


  • Need another authorization protocol alongside them, or else attackers can gain access to API keys and subsequent permissions
  • Have to be sent with every request that requires user authentication


JSON Web Token (JWT)

JSON Web Token (JWT) is an open standard that defines a compact and self-contained way to securely transmit information between parties as a JSON object. JWTs are trusted because they are digitally signed.A JSON Web Token (JWT) is an open standard that provides a compact, self-contained method for securely transferring data between entities as JSON objects. Unlike API keys, JWTs are structured strings with three parts (header, payload, and signature) that travel in HTTP requests. They support both authentication and authorization because they carry information about the token holder.

An example of a decoded JWT header:

Javascript (babel-node)
{
"alg": "HS256", // The hashing algorithm
"typ": "JWT" // The type of token
}

The header specifies the hashing algorithm (for example, HS256) and the token type (JWT). The payload contains claims about the user, such as the name, issuer, and expiration:

Javascript (babel-node)
{
"sub": "user1", // Subject
"name": "Johnny",
"iss": "https://exampleissuer.com/", // Issuer
"exp": 6473975421 // Expiration in seconds
... // Rest of the payload
}

The signature verifies the token's legitimacy and message integrity. It is generated by signing the encoded header and payload, plus a secret (known only to the issuing entity), with the algorithm specified in the header. The recipient recalculates and compares the signatures to detect tampering.

An example of a signature representation:

Javascript (babel-node)
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret)

Note: The header and payload are Base64-encoded and separated by a period (.). The ...