secure your APIs

What are APIs and why are they important?

An Application Programming Interface (API) is a well-defined set of protocols and tools that enables communication between software applications. It acts as an intermediary, allowing programs to request and receive data from each other in a structured and secure way. One system do not need to know the internals of other system in order to communicate instead they just to agree on certain rules like protocols and structure.

Imagine if every app you used tried to be all things to all people. Your music app would try to navigate you places, your photo editing app would also send messages, and your social media app would… well, it already tries to do everything! But the truth is, it’s hard for one company to be the best at everything. That’s where APIs come in. APIs act like translators between different programs, allowing them to share features and data. This lets your favorite apps focus on what they do best – like editing photos or keeping you connected – and borrow functionalities from others to offer a wider range of features. So next time you seamlessly switch between editing a picture and sharing it on social media, thank the magic of APIs for making it all work smoothly behind the scenes.

I remember, in the early days of APIs, developing and using them was a complex chore. Even with technologies like DCOM, CORBA or SOAP trying to smooth things over, frequent updates to different systems created constant compatibility headaches. Imagine building with Legos where the pieces changed size and shape every few weeks - that was the challenge of early APIs! Thankfully, things have become much more standardized and user-friendly today.

REST-based APIs using JSON are the most common today, and nearly all popular programming languages have several frameworks that allow you to develop REST APIs.

Since APIs often handle sensitive information and critical features, their security is crucial in system design. Unsecured APIs can break trust and even violate laws. Strong API security protects sensitive information and ensures everything operates smoothly.

There are mainly four ways through which we secure our APIs:

1. Robust Authentication and Authorization

2. Encryption in Transit and at Rest

3. Input Validation and Sanitization

4. Rate Limiting and Threat Monitoring

For this article I would only talk about point #1 Authentication and Authorization.

quick refresher on Authentication vs Authorization

The difference between authentication and authorization is the same as who and what. Authentication deals with who should get into the system and Authorization handles what data should be accessible.

What is OAuth 2.0?

OAuth is a short for Open Authorization. It is an industry-standard framework for secure authorization delegation. It streamlines user login and data access between applications from trusted providers (like Facebook or Google) without ever directly acquiring passwords.

Here's a breakdown:

1. Authorization Request: The application requests permission to access specific user resources on a trusted provider's platform (e.g., Facebook profile information).

2. User Consent: The user explicitly grants or denies this permission on the trusted provider's platform.

3. Secure Access Token: If granted, the trusted provider issues a secure access token to the application. This token grants controlled access to the authorized resources, but doesn't contain the user's password.

4. API Access: The application uses the access token to access the authorized user resources on the trusted provider's API.

OAuth 2.0 offers several benefits:

• Enhanced Security: Eliminates the need for applications to store user passwords, reducing the risk of data breaches.

• Convenience: Users can avoid creating and managing additional login credentials for various applications.

• Improved User Experience: Streamlined login process fosters better user engagement.

read more here.

Auth0

Auth0 is a paid platform which makes authentication and authorization extremely easy. Feel free to signup for Auth0. I have used the free version and its enough to understand the whole process.

To be continued…