Risk Management

API Security–A Primer

API Security

APIs are providing business value by enabling to improve efficiency, increase revenue and more. As companies are leveraging APIs to have them exposed out to partners and customers, API Security becomes challenging. How do you secure your API against new threats and vulnerabilities being created every day? As hundreds of applications are making calls to these APIs on a daily basis, security is of primary importance, but it should also be standardized and follow industry best practices.

Here are some common patterns to adopt while securing your APIs.


OAuth today–is the de facto standard for authorization and along with that, the standard for federated authentication–OpenID Connect. Unlike previous authentication patterns, OAuth doesn’t allow API consumer from directly accessing user information. Instead, it receives and passes on the user to a page on the server where they can enter their credentials and then returns to the API Consumer an access token for that user.

Today, Open Authorization (OAuth)–a token authorization system–is the most common API Security measure. Unlike basic authorization, OAuth does not allow API Consumer from accessing the users’ information. Instead, it relays the user to a page on the destination server where they can enter their credentials and then returns to the API Consumer an access token for that user.

Read about the role of OAuth 2 scopes in API Management.

In case of a security breach, misuse or if the user decides that they no longer want to use that API, this access token can be deleted at any time. Furthermore, these access tokens can also be used to restrict permissions and letting the user decide which application should be able to access their account or information.

Here are a few examples of how to implement that with popular identity management companies like Okta and Microsoft.


If you’re not using SSL for secure communication of your APIs, then no matter what authentication protocol you use, you’ll never be secure. Unless you’re using HTTPs, all your credentials will be sent in plain-text over the wire–a horrible idea.

Data Privacy

Besides authenticating and authorizing access to APIs, security also involves policies to block attacks, ensure sensitive data is not accidentally or intentionally leaked and to revoke a compromised API that was granted to a user.

Threat protection

Another important capability is API quotas and spike arrest so that traffic to your backend systems is properly throttled and managed.  In the e-book, The Curious Case of API Security, we follow a methodical approach to investigating and solving the top API threats.  Learn what API Throttling, API Quota, Rate Limiting and Burst is?

API Security

API Security best practices are well documented; these should be taken into consideration no matter how complex or simple your APIs are.

To summarize, companies increasingly understand the potential of APIs, but these security challenges need to be taken into consideration as you embark on your digital journey. While an API Management solution doesn’t eliminate all threats, it can certainly help address these security challenges out of the box.

Read more about what you need to know about APIs and security.