API Security
Discover different aspects of API Security and learn best practice approaches.
API security encompasses the practices, processes, and products used to ensure APIs are secure, data can be transferred safely, and malicious attacks are prevented. APIs power the connectivity of the digital world. They offer faster integrations and increased freedom of choice when it comes to products. Keeping APIs, and the data provided through them, safe and only available to the intended user is a must. In this section we have gathered information covering the most important aspects of securing APIs and microservices.
Articles
The Split Token Approach
The Split Token Approach, applicable for any OAuth 2.0 ecosystem, aims to improve your tokens' security.
The API Security Maturity Model
There is a spectrum of API security implementations, and not all of them are equal. The model describes API security in ever-increasing levels of trust, complexity, and efficiency.
Harden API Access with Workload Identities
An introduction to workload identities and their role in API security.
Zero Trust API Events
Flowing user identity in event messages, to enable verification and auditing when asynchronous processes resume
API Security Best Practices
Learn API security best practices to safeguard your digital assets with effective authentication, authorization, and token management techniques.
JWT Security Best Practices
JWT security best practices for apps: how to use access tokens safely, choose algorithms, validate JWTs correctly, and avoid common mistakes.
Token Sharing Approaches
Learn about the different ways in which access tokens can be shared.
Top 10 API Security Vulnerabilities According to OWASP
A write-up of the top API security vulnerabilities according to OWASP and mitigating approaches.
Concepts for Serving Identities in a Kubernetes Environment
This article describes some architectural concepts for providing identity data to APIs and applications in a Kubernetes environment.
Implementing Zero Trust APIs
A summary of the main best practices when implementing a zero trust architecture to secure APIs, using OAuth 2.0 and OpenID Connect
JWT Signatures and EdDSA
This article explains how signatures work in JWTs in general and provides a detailed example based on the EdDSA algorithm
Impersonation Approaches
How to handle impersonation and delegation with OAuth and OpenID Connect to enable a subject to act as a different subject.
Self-contained JWTs
Design patterns to allow JWTs to be validated using extended header fields and Public Key Infrastructure.
The Phantom Token Approach
Adopt the Phantom Token Approach:a privacy-preserving token usage pattern for securing APIs and microservices.
Videos
Identity: The Kill Switch For API-Driven Digital Sovereignty
Ghosts, Zombies, and Robots: Handing Off Control to the Non-Humans
How to Design Secure MCP Deployments
Panel Discussion: API Security in the Age of AI
OAuth Well Played – Mods and Combos for the Cloud Native API Security Game
How to Build a Fortress with the Security of a Tent
Panel Discussion: API Authorization
The Swedish Chef Would Be Proud: Cooking up a Secure API in Minutes – Instructions Included
Military-Grade Security for APIs
Decentralized Identities Changes Everything, Even Your APIs
Addressing Top API Security Risks
Using Curity, OPA and Kong for end-to-end API authentication and authorization
Implementing Claims Best Practices
Browser-less mobile login using the authentication API
Jacob Has a Horse, Says Travis – a Tale of Truths In a Microservice Architecture
Scalable API Security Using OAuth
Financial Grade APIs Using OAuth and OpenID Connect
Security Is a Concern, Let’s Make It an Enabler
Securing APIs in a Cloud Native Environment Using OAuth
Securing APIs and Microservices with OAuth and OpenID Connect
OAuth and OpenID Connect for PSD2 and Third-Party Access
Customer Stories
Learn how organizations run identity and API security at scale.
Read customer stories