Chapter 6. API Security and User Management

Formulating effective API security is a critical design decision, as well as an ongoing operations imperative. This is an important subject, addressed in many books with a broader scope than ours. This chapter is by no means a definitive survey of Internet security techniques. Here we highlight the security issues and techniques that apply to designing and operating APIs specifically.

The security models you choose are an important characteristic of your API and must be appropriate for the business. If your API deals with sensitive finance data over public networks, stronger security measures will be required than if your API simply passes data around for a private audience on a protected network.

The operative questions for designing your API security framework include:

  • What assets are you trying to secure? How much security do you need to secure them?

  • How will the security measures you plan to implement impact performance of the API? Will it complicate programming against it?

  • Who is using the API? Do you need users to identify themselves before they use applications built using the API?

  • Is it OK if they just identify the application that is running and not the person who is using it?

Very few API providers offer APIs without some form of identification, such as registration for using the API. Most APIs employ one or more of these basic security techniques:


Who is making an API request?


Are they really ...

Get APIs: A Strategy Guide now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.