Skip to main content

API Security

In the context of security by design, these topics are intentionally mentioned before further details on API modeling.

  • Authentication and authorization are two distinct concepts. The first deals with subjects, while the second concerns the objects of the requests made.

    Often abbreviated as authn and authz, the authentication process ensures that the presented credentials are correct, while the authorization process checks that the permissions granted to the requesting subject are sufficient for the operation they want to perform on a specific resource.

Authentication

APIs must support authentication using the JSON Web Token (JWT) standard.

Using JSON Web Token (JWT) for authentication provides several advantages, particularly for cloud-based APIs:

  • Stateless and Scalable: JWTs are self-contained, storing all necessary information within the token itself. This eliminates the need for the server to maintain session data, allowing for more scalable, stateless API architectures.
  • Enhanced Security: JWTs are cryptographically signed, which means they can be verified by the server, ensuring that the token has not been tampered with. They can also include claims (additional metadata) that help control and secure access, such as user roles and permissions.
  • Interoperability: As an industry standard, JWTs are widely supported across programming languages and frameworks, making them highly compatible and easier to implement across various platforms and devices.
  • Efficiency: Since JWTs are compact, they can be passed in headers, minimizing overhead and reducing response times for client-server interactions.
  • Flexibility with Single Sign-On (SSO): JWTs are ideal for SSO implementations, as a token generated by one service can be securely used to access multiple applications, improving the user experience and reducing authentication complexity.

JWT’s main function is to authenticate the user’s identity by validating the token, not to directly handle authorization or dictate permissions. Overall, JWT provides a secure, efficient, and flexible authentication solution well-suited for modern API-driven environments.

Authorization

We suggest to use a foundational authorization mechanism used in systems like Kubernetes to manage permissions at runtime, ensuring that only authorized users or services (principals) can perform specific actions on resources.

  • In this model, users or service accounts are associated with predefined roles that encapsulate a set of permissions, such as read, write, or delete
  • When a principal attempts an action, the control plane API consults an authorization provider to evaluate whether the associated roles permit the requested operation.
  • This process, independent of any data in an authentication token like JWT, allows the system to make dynamic, context-aware authorization decisions

One of the widely used approach to do so is Role-Based-Access-Control (RBAC) model even though there are also other models, such as Attribute-Based Access Control (ABAC) and Policy-Based Access Control (PBAC), which provide flexibility and can be used in combination with or as alternatives to RBAC depending on the system’s security requirements.