What is an API token

API security

API security is the process of protecting the integrity of APIs, both those you own and those you use. But what does that mean exactly?

Well, you've probably heard of the Internet of Things (IoT), where computing power is built into everyday objects. The IoT makes it possible for your phone and refrigerator to communicate. So if you want to shop for an impromptu party on the way home after work, you'll always know exactly what is missing. You might also be a member of a DevOps team that uses microservices and containers to build legacy and cloud-native apps in a fast and iterative way. APIs are one of the most widely used methods of communication between microservices and containers, similar to how between systems and apps. With the importance of integration and interconnectivity, so does the importance of APIs.

Why is API security so important?

Companies use APIs to connect services and transfer data. Broken, unprotected, or hacked APIs are the number one cause of severe data loss. This is because confidential medical, financial and personal data can be disclosed to the public. It should be noted, however, that not all data is the same or must be protected in the same way. Your API security strategy depends on the type of data being transferred.

When your API connects to a third-party application, you need to understand how that app transmits the information back to the internet. To come back to the example of the refrigerator ... You may not care if a stranger knows your eating habits, but if they use the same API to find your location, things will look a little different.

What is API Security on the Web? REST API security or SOAP API security?

API security on the web is mostly about the transfer of data through APIs connected to the internet. OAuth (Open Authorization) is the open standard for access delegation. This allows users to grant third parties access to web resources without having to disclose passwords. OAuth is the technology standard that allows you to share the video of your cocker spaniel's belly splash on your social networks with a single share button.

Most API implementations are either REST (Representational State Transfer) or SOAP (Simple Object Access Protocol).

REST APIs use HTTP and support TSL (Transport Layer Security) encryption. TLS is a standard that protects Internet connections and ensures that the data transmitted between two systems (server / server or server / client) is encrypted and remains unchanged. So if a hacker tries to steal your credit card information from a shopping website, they cannot read or modify the information. A sign that a website is protected by TLS is the abbreviation "HTTPS" (Hyper Text Transfer Protocol Secure) in front of the URL.

REST APIs also use JavaScript Object Notation (JSON), a file format that simplifies data transfer between web browsers. By using HTTP and JSON, REST APIs do not have to store or repackage data and thus work faster than SOAP APIs.

SOAP APIs use built-in protocols called Web Services Security (WS Security). These protocols define certain rules for confidentiality and authentication. SOAP APIs support the standards of the two major international standardization bodies, OASIS (Organization for the Advancement of Structured Information Standards) and W3C (World Wide Web Consortium). You use a combination of XML encryption, XML signatures and SAML tokens to perform authentication and authorization. In general, SOAP APIs are praised for their more comprehensive security measures, but they are also more administrative. For these reasons, they are recommended for organizations that handle very sensitive data.

What are some of the most common API security best practices?

Do you keep your savings under the mattress? Certainly not. Like many others, you entrust it to a bank and use separate methods to authorize / authenticate payments. It's not much different with API security. You need a trustworthy environment with guidelines for authorization or authentication.

Here are some of the most common ways you can strengthen your API security:

  • Use of tokens: Create trusted identities, assign tokens to them, and control access to services and resources.
  • Use of encryption and signatures: Encrypt your data using methods such as TLS (see above). Require signatures to ensure that only authorized users can decrypt and modify your data.
  • Identification of weak points: Keep the operating system, network, drivers and API components up-to-date. Find out how they all work together and identify weaknesses that could make your APIs vulnerable. Use sniffers to identify security issues and monitor for data leaks.
  • Use of quotas and throttling: Configure quotas for the number of calls to your API and monitor their usage. An unusually high number of views can indicate abuse. But it could also be a programming error in which the API is caught in an infinite loop. Create throttling rules to protect your APIs from spikes and denial-of-service attacks.
  • Use of an API gateway: API gateways act as the primary control body in API traffic. A good gateway enables not only the authentication of data, but also the control and usage analysis of your APIs.

API management and security

API security often stands and falls with good API management. Many API management platforms support three types of security schemes. These are:

  • API key - a single token string (i.e. a small hardware device that provides unique authentication information).
  • Basic authentication (APP ID / APP Key) - a solution consisting of two tokens (i.e. username and password).
  • OpenID Connect (OIDC) - a simple identification layer based on the popular OAuth framework (i.e. the user is verified by retrieving basic profile information using an authentication server).

When choosing an API manager, you should understand which and how many of these security schemes it can handle and how you can incorporate the API security practices outlined above.

Why Red Hat for API Management and API Security?

Data breaches can have dire effects, but there are ways to improve security. APIs are always worthwhile, you just have to know what exactly you need. Much depends on your ongoing security measures and whether you are asking the right questions, knowing which areas require your attention, and using an API manager that you can trust. We're here to help.

Our recommendation: our award-winning Red Hat 3scale API Management. It contains:

  • An API manager to manage API, application and developer roles
  • A traffic manager (an API gateway) to enforce the API manager's policies
  • An Identity Provider (IDP) hub to support a wide variety of authentication protocols

Red Hat 3scale API Management decodes time-stamped tokens at the API gateway, which expire, checks whether the client verification is valid, and confirms the signature using a public key.