High-Level View of Security in APIs


We have explored several topics on API security in this chapter. Before wrapping up, we’ll explore some significant concepts and models in the API security landscape. Studying these concepts will enable us to architect secure APIs. We’ll explain the following topics:

  • Scope of APIs: Discusses the types and users of APIs

  • Cybersecurity models: Security models that are applicable to APIs

These concepts aid in the overall security and functionality of APIs, so we’ll go over them before we end the chapter on security. Let's begin by examining the scopes of APIs.

Public and private APIs

When we examine APIs, there are two significant concerns regarding API consumers:

  • Who is the intended user of an API?

  • Where is the API made available, and where can someone access the API on the network?

These points may be referred to as the scope of the API, so let's expand on these concepts.

Intended users

There are three categories when we examine who an API is intended/designed for.

  • Private: These are intended for consumption for users inside the organization, such as employees. These still might be exposed outside of an organization because the company/business itself may have external components outside that require access. An example of such an API could be a messaging portal that the organization solely uses for communication. However, such APIs are not available to the general public.

  • Partner: These are APIs we design to communicate with established partners. The API is intended to be used outside the organization, perhaps in tandem with other APIs. The usage of such APIs usually comes with special terms and conditions that the partners or consumers have to agree to. Twitter's API is an example of a partner API because it has several tiers (elevated or elevated+Grants additional access within the developer portal, such as additional requests in a specific period of time.) to denote a third party's approval status.

  • Public: These are open APIs that the general public can access through an API directory. They’re typically easy to sign up for and use, but the developer may not have complete information about the users of the API. Facebook's open API that allows third parties to post on a user's newsfeed is an example of a public API.

Level up your interview prep. Join Educative to access 70+ hands-on prep courses.