Security
Last but not least is security. First of all, all APIs should use SSL. Requests sent over plain HTTP should fail.
For authentication, there are several approaches. The most basic version is to use basic HTTP so that API clients can use a randomly generated access token as the value of the username field of HTTP basic authentication. Another approach is to support OAuth2 so that end users can grant access to third-party applications to access their data via the APIs. Sometimes, these two approaches won't work or are not ideal. For example, you might require the API clients to pass extra information during authentication. In such a case, you can use JWT (short for JSON Web Tokens), which is an open standard (RFC 7519) that defines ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access