Understanding Security Basics
Design and Build Great Web APIs — by Mike Amundsen (76 / 127)
👈 Chapter 10 Securing APIs | TOC | Implementing API Security with Auth0 👉
The key to understanding API security is to focus on two related elements: identity and access control. These work at the API level. In other words, when you are implementing the API, you need to decide if and when you’ll apply identity and access control checks.
It’s also important to understand the role of encryption as an additional layer of security. For HTTP-based APIs, this works at the protocol level. The most common way to recognize the use of encryption on the web is through the use of the https identifier (called a URI scheme) instead of the http identifier in your URLs.
These two items — identity/access control and encryption — can work independently of one another too. In this first part of the chapter, we’ll focus on identity and access control and then discuss encryption. In the second half, you’ll learn how to implement identity and access control for your APIs using the Auth0 online service and the OAuth[79] and OpenID[80] protocols.
Before we get wrapped up in the implementation details of securing your APIs, let’s take a minute to review the roles identity, access control, and encryption play on the web.
