An Application Programming Interface (API) is a well-defined set of protocols and tools that enables communication between software applications. It acts as an intermediary, allowing programs to request and receive data from each other in a structured and secure way. One system do not need to know the internals of other system in order to communicate instead they just to agree on certain rules like protocols and structure.

Imagine if every app you used tried to be all things to all people. Your music app would try to navigate you places, your photo editing app would also send messages, and your social media app would… well, it already tries to do everything! But the truth is, it’s hard for one company to be the best at everything. That’s where APIs come in. APIs act like translators between different programs, allowing them to share features and data. This lets your favorite apps focus on what they do best – like editing photos or keeping you connected – and borrow functionalities from others to offer a wider range of features. So next time you seamlessly switch between editing a picture and sharing it on social media, thank the magic of APIs for making it all work smoothly behind the scenes.

I remember, in the early days of APIs, developing and using them was a complex chore. Even with technologies like DCOM, CORBA or SOAP trying to smooth things over, frequent updates to different systems created constant compatibility headaches. Imagine building with Legos where the pieces changed size and shape every few weeks - that was the challenge of early APIs! Thankfully, things have become much more standardized and user-friendly today.

REST-based APIs using JSON are the most common today, and nearly all popular programming languages have several frameworks that allow you to develop REST APIs.

Since APIs often handle sensitive information and critical features, their security is crucial in system design. Unsecured APIs can break trust and even violate laws. Strong API security protects sensitive information and ensures everything operates smoothly.

There are mainly four ways through which we secure our APIs:

1. Robust Authentication and Authorization

2. Encryption in Transit and at Rest

3. Input Validation and Sanitization

4. Rate Limiting and Threat Monitoring

For this article I would only talk about point #1 Authentication and Authorization.

quick refresher on Authentication vs Authorization

The difference between authentication and authorization is the same as who and what. Authentication deals with who should get into the system and Authorization handles what data should be accessible.

What is OAuth 2.0?

OAuth is a short for Open Authorization. It is an industry-standard framework for secure authorization delegation. It streamlines user login and data access between applications from trusted providers (like Facebook or Google) without ever directly acquiring passwords.

Here's a breakdown:

1. Authorization Request: The application requests permission to access specific user resources on a trusted provider's platform (e.g., Facebook profile information).

2. User Consent: The user explicitly grants or denies this permission on the trusted provider's platform.

3. Secure Access Token: If granted, the trusted provider issues a secure access token to the application. This token grants controlled access to the authorized resources, but doesn't contain the user's password.

4. API Access: The application uses the access token to access the authorized user resources on the trusted provider's API.

OAuth 2.0 offers several benefits:

• Enhanced Security: Eliminates the need for applications to store user passwords, reducing the risk of data breaches.

• Convenience: Users can avoid creating and managing additional login credentials for various applications.

• Improved User Experience: Streamlined login process fosters better user engagement.

read more here.

Auth0

Auth0 is a paid platform which makes authentication and authorization extremely easy. Feel free to signup for Auth0. I have used the free version and its enough to understand the whole process.

Encryption in Transit and at Rest

Now let's talk about the second way to secure our APIs - encryption. Think of encryption like sending your data in a locked briefcase rather than an open envelope. Even if someone intercepts it, they can't read what's inside without the key.

Encryption in Transit means protecting data while it's traveling between the client and server. All API communications should use HTTPS/TLS to encrypt this data. This prevents man-in-the-middle attacks where bad actors try to intercept and read your sensitive information.

Here are the key practices:

1. Always use HTTPS: Never use plain HTTP for API endpoints - it's like shouting your secrets in a crowded room.

2. Use TLS 1.2 or higher: TLS 1.3 is even better and offers improved security and performance.

3. Strong cipher suites: Disable weak encryption methods that attackers can easily crack.

4. Certificate pinning: For mobile apps, this prevents attackers from using fake certificates.

Encryption at Rest protects data when it's stored in your databases or file systems. Even if someone gains access to your storage, they can't read encrypted data without the decryption keys.

Best practices include:

• AES-256 encryption: Use strong encryption for sensitive database fields.

• Separate key storage: Keep encryption keys in dedicated services like AWS KMS, Azure Key Vault, or HashiCorp Vault - never store them alongside your data.

• Field-level encryption: Extra protection for highly sensitive data like passwords and credit card numbers.

• Key rotation: Regularly change your encryption keys to limit exposure if one gets compromised.

Input Validation and Sanitization

The third security measure is all about not trusting user input - ever. Attackers love to send malicious data through API requests hoping to break your system or steal information.

Common attacks include SQL injection, cross-site scripting (XSS), and command injection. Proper validation and sanitization acts as your first line of defense against these threats.

Validation means checking if the input matches what you expect:

1. Whitelist approach: Define exactly what valid input looks like rather than trying to block every possible bad input.

2. Type checking: If you expect a number, reject anything that isn't a number.

3. Length limits: Set maximum lengths to prevent buffer overflow attacks.

4. Format validation: Use patterns to validate emails, phone numbers, and dates.

5. Range checks: Ensure numbers fall within acceptable limits.

Sanitization means cleaning the input before using it:

• Escape special characters: Prevent them from being interpreted as code.

• Parameterized queries: The best defense against SQL injection - never concatenate user input into SQL statements.

• Content Security Policy: HTTP headers that help prevent XSS attacks.

• Strip HTML tags: Unless you explicitly need them, remove HTML from user input.

Consider using JSON Schema to define and enforce the structure of your API requests. This ensures only properly formatted data gets processed.

Rate Limiting and Threat Monitoring

The fourth pillar focuses on controlling who can use your API and how much. Without rate limiting, attackers can overwhelm your servers or attempt brute force attacks.

Rate limiting restricts how many requests a client can make within a given time period. This protects against:

• DoS attacks: Overwhelming your API with requests to make it unavailable.

• Brute force attacks: Repeated attempts to guess passwords or tokens.

• Data scraping: Unauthorized mass extraction of your data.

• Cost control: Preventing abuse that could spike your infrastructure costs.

Common strategies include:

1. Fixed window: Allow X requests per minute (e.g., 100 requests per minute).

2. Sliding window: More sophisticated tracking that handles burst traffic better.

3. Token bucket: Allows occasional bursts while maintaining an average rate.

4. Per-endpoint limits: Stricter limits for expensive or sensitive operations.

Threat Monitoring helps you detect and respond to security issues in real-time:

• Comprehensive logging: Track timestamps, IP addresses, user IDs, endpoints accessed, and response codes.

• Anomaly detection: Watch for unusual patterns like spikes in failed logins or requests from unusual locations.

• Alerting: Get notified about suspicious activities like repeated 401/403 errors or potential injection attempts.

• Regular audits: Periodically review logs and conduct penetration testing.

Tools like Datadog, New Relic, Prometheus with Grafana, or cloud-native solutions like AWS CloudWatch can help you implement effective monitoring.

Wrapping Up

API security isn't a one-time setup - it's an ongoing process. Threats evolve, new vulnerabilities emerge, and your API grows and changes over time.

Remember the four pillars we discussed:

1. Robust Authentication and Authorization - Ensure only the right users access the right resources.

2. Encryption in Transit and at Rest - Protect data whether it's moving or stored.

3. Input Validation and Sanitization - Never trust user input.

4. Rate Limiting and Threat Monitoring - Control access and watch for suspicious activity.

By implementing all four, you create defense in depth - multiple layers of security that protect your API, your users, and your business. A single weakness can compromise everything, so take security seriously from day one.

For those getting started, platforms like Auth0, AWS API Gateway, Kong, or Apigee offer built-in security features. But understanding these principles helps you make better decisions and customize security for your specific needs.