Edit

423.4 Secure APIs and authentication

Understand what APIs are, why they matter, and how to protect them using strong authentication and secure coding practices.

Targets

  • Explain what APIs are and how they are used in software systems

  • Identify common security risks in poorly secured APIs

  • Apply authentication and access control to reduce threats like broken authentication and data leaks

Syllabus references

Secure software architecture

  • Design, develop and implement a safe application programming interface (API) to minimise software vulnerabilities

  • Design, develop and implement secure code to minimise vulnerabilities in user action controls, including: – broken authentication – session management flaws

APIs are the glue that binds modern software together. They expose powerful functionality — but if you don’t lock them down, they also expose your system to attackers. This module explains what APIs are, how standard authentication methods work, why session management matters even in “stateless” APIs, and how to defend against broken authentication and session hijacking.

What is an API?

An API (Application Programming Interface) enables one program to communicate with another. When your timetable app fetches your schedule from the server, it calls an API. When a weather widget shows current conditions, it calls an API. APIs define the rules and formats (often JSON or XML) for sending and receiving data.

Why API security matters

APIs often sit at the boundary between a software system and the outside world. If they are not protected, attackers can:

  • Access private data or someone else’s account.

  • Bypass the login system and perform unauthorised actions.

  • Flood the server with requests (denial of service).

Authentication vs authorisation

Authentication verifies who is making a request — it’s about identity.

Authorisation determines what an authenticated user is allowed to do. A student should not be able to access admin features. Robust API security requires both.

Common API authentication methods

  1. HTTP Basic authentication – sends a Base64‑encoded username/password pair in an Authorization header. It must be used over HTTPS to prevent eavesdropping, and it offers no protection against or attacks.

  2. API keys – unique identifiers issued to each client. Keys must be sent with every request and kept secret. Like passwords, they should be rotated regularly and never hard‑coded in public code repositories.

  3. JWT (JSON Web Token) – a signed and optionally encrypted token that contains the user’s identity. JWTs are stateless; the server verifies the signature rather than looking up a session. Set reasonable expiration times and avoid storing sensitive data in the token.

  4. OAuth 2.0 – a token‑based protocol that allows users to grant limited access to third‑party applications. It is the gold standard for delegated authorisation and underpins “Sign in with Google/GitHub” flows.

Cover

HTTP Basic Authentication

HTTP basic authentication is the most rudimentary way to implement API authentication. It involves sending credentials as user/password pairs in an Authorization header field, where the credentials are encoded using Base64. However, these credentials

Cover

API Key Authentication

An API key is a unique identifier that an API provider issues to registered users in order to control usage and monitor access. The API key must be sent with every request—either in the query string, as a request header, or as a cookie. Like HTTP basic authentication, API key authentication must be used with HTTPS to ensure the API key remains secure.

Cover

JWT authentication

JWT, which stands for JSON Web Token, is a compact, stateless mechanism for API authentication. When a user logs into an application, the API server creates a digitally signed and encrypted JWT that includes the user's identity. The client then includes the JWT in every subsequent request, which the server deserialises and validates. The user's data is therefore not stored on the server's side, which improves scalability.

Cover

OAuth authentication

OAuth is a token-based authentication mechanism that enables a user to grant third-party access to their account without having to share their login credentials. OAuth 2.0, which provides greater flexibility and scalability than OAuth 1.0, has become the gold standard for API authentication, and it supports extensive API integration without putting user data at risk.

Securing APIs

In addition to robust authentication and session management, secure APIs follow these principles:

  1. Use HTTPS everywhere to protect data in transit.

  2. Authenticate every request; do not assume a session is valid just because the client sent a token.

  3. Enforce authorisation using role‑based access control or attribute‑based policies.

  4. Validate and sanitise input to prevent injection and other attacks.

  5. Limit exposure: only return data that is necessary; avoid leaking internal identifiers.

  6. Rate‑limit and monitor API usage. Detect anomalies, log errors, and respond to abuse.

  7. Keep secrets out of source code – store API keys and secrets in secure configuration services or environment variables.

Summary

APIs are the gateways to your application’s data and functionality. Securing them requires more than just choosing an authentication method: you must also manage sessions carefully, handle tokens securely, and enforce both authentication and authorisation. By following best practices for session management (secure, HttpOnly and SameSite cookies limited scope, appropriate expiration, and by mitigating broken authentication through strong credentials, MFA and proper token handling, you can minimise the vulnerabilities and protect systems against common API attacks.

Questions

  1. What is the primary purpose of an API (Application Programming Interface)?

Answer

An API acts as a contract between software systems, allowing them to communicate and exchange data in a standardised way. It enables developers to access specific features or data from another service or application without needing to understand its internal workings. This simplifies integration and encourages modular software design.

2. Outline TWO examples of APIs in action.

Answer

Google Maps API – Allows apps and websites to embed maps, calculate routes, and get location data without building their own mapping service.

Payment Gateway API (e.g. Stripe or PayPal) – Enables online stores to securely process credit card payments and manage transactions without storing sensitive payment details themselves.

3. What role do JSON and XML play in API authentication?

Answer

JSON and XML are data formats used to structure the information sent between clients and servers. In the context of API authentication, they often carry authentication tokens or credentials (e.g. API keys or OAuth tokens) within the body of a request. These formats ensure that the data is machine-readable and can be validated or parsed securely at both ends.

4. Compare HTTP basic authentication with API key authentication using a table to illustrate similarities and differences on key criteria.

Answer
Feature
HTTP Basic Authentication
API Key Authentication

Credential Format

Base64-encoded username and password

Key string, often passed in header or query parameter

Transmission Method

Authorization: Basic <encoded string>

Authorization: ApiKey <key> or key=<key> in URL

Security Requirement

Must use HTTPS to avoid interception

Must use HTTPS; keys should be rotated regularly

Replay Protection

None – credentials can be reused

None by default, unless combined with timestamp/nonces

Ease of Use

Simple to implement, but insecure on its own

Widely used, more flexible, but prone to leakage

Granularity

Tied to user credentials

Can be scoped to specific endpoints or permissions

5. Explain why APIs must have tight security controls.

Answer

APIs expose sensitive data and system functions over the Internet. Without strong security controls, attackers can exploit vulnerabilities to gain unauthorised access, steal data, or disrupt services. Since APIs often serve as the bridge between front-end and back-end systems, a breach can have wide-reaching consequences, including data leaks, financial loss, and damage to reputation.

6. Outline ways of securing APIs.

Answer

Securing APIs involves a combination of authentication, authorisation, encryption, and input validation.

Strategies include:

  • Using HTTPS to encrypt data in transit.

  • Implementing strong authentication methods (e.g. API keys, OAuth tokens).

  • Validating and sanitising user input to prevent injection attacks.

  • Limiting access based on roles (authorisation).

  • Employing rate limiting and throttling to reduce the risk of abuse.

  • Logging access and using monitoring tools to detect anomalies.

7. Distinguish between authentication and authorisation.

Answer

Authentication is the process of verifying the identity of a user or system (e.g. checking a password or token).

Authorisation is about determining what that user or system is allowed to do (e.g. can they read, write, or delete data?).

In short, authentication answers “Who are you?”, while authorisation answers “What can you do?”.

8. Outline some common API vulnerabilities.

Answer

Common API vulnerabilities include:

  • Broken authentication – where tokens or credentials are not securely handled.

  • Excessive data exposure – returning more data than necessary.

  • Injection attacks – like SQL or command injection via unsanitised input.

  • Rate limiting failures – allowing brute force or denial-of-service attacks.

  • Insecure endpoints – exposing internal functionality without checks.

  • Poor session management – leading to session hijacking or fixation.

  • Lack of logging and monitoring – making it hard to detect intrusions or misuse.

Previous423.32 Sandboxing and abstractionNext423.5 User-centred security

Last updated

Was this helpful?