Chapter 10 Securing APIs

Design and Build Great Web APIs — by Mike Amundsen (75 / 127)

👈 Chapter Exercise | TOC | Understanding Security Basics 👉

In this chapter, we learn how to secure your API. API security consists of three key elements: identity, access control, and encryption. We’ll explore each one in turn and then focus on a solution for implementing each of them in a direct way.

After we review the security basics, we’ll dive into implementing them via standards called OpenAuth (OAuth)[76] and JSON Web Token (JWT).[77] OAuth is a protocol for requesting and sharing access control information for a particular user or machine. JWT is a standard way of representing access control in the form of a token. When used together, you can easily add security features to your API in an independent and standardized way.

To make the whole process easier, we’ll use an online provider called Auth0 (“auth-zero”) to do the work of generating and validating our access control tokens.[78] We’ll also make some modifications to our API project in order to communicate with the Auth0 website when we need to enforce our security rules. Finally, we’ll take advantage of a couple of local bash scripts to simplify managing and testing our API security.