API Security: Patterns for Authentication, Authorization, and Defense in Depth
#security#api#architecture#authentication
APIs are the attack surface of the modern organization. Every exposed endpoint is a potential entry point for unauthorized access, data exfiltration, or service disruption. Yet API security is often an afterthought -- bolted on after the fact rather than designed in from the start. This post maps the essential security layers, compares authentication methods, catalogs the OWASP API Top 10, and provides a tool landscape for implementation.
Security Layer Architecture
┌─────────────────────────────────────────────────────────┐
│ CLIENT REQUEST │
└────────────────────────┬────────────────────────────────┘
▼
┌─────────────────────────────────────────────────────────┐
│ LAYER 1: NETWORK / EDGE │
│ ┌─────────┐ ┌──────────┐ ┌───────────┐ ┌───────────┐ │
│ │ WAF │ │ DDoS │ │ TLS │ │ IP Allow │ │
│ │ │ │ Protect │ │ Termination│ │ List │ │
│ └─────────┘ └──────────┘ └───────────┘ └───────────┘ │
└────────────────────────┬────────────────────────────────┘
▼
┌─────────────────────────────────────────────────────────┐
│ LAYER 2: API GATEWAY │
│ ┌─────────┐ ┌──────────┐ ┌───────────┐ ┌───────────┐ │
│ │ Rate │ │ Auth │ │ Request │ │ API Key │ │
│ │ Limiting│ │ (JWT/ │ │ Validation│ │ Mgmt │ │
│ │ │ │ OAuth) │ │ │ │ │ │
│ └─────────┘ └──────────┘ └───────────┘ └───────────┘ │
└────────────────────────┬────────────────────────────────┘
▼
┌─────────────────────────────────────────────────────────┐
│ LAYER 3: APPLICATION │
│ ┌─────────┐ ┌──────────┐ ┌───────────┐ ┌───────────┐ │
│ │ Input │ │ AuthZ │ │ Business │ │ Output │ │
│ │ Valid. │ │ (RBAC/ │ │ Logic │ │ Filtering │ │
│ │ │ │ ABAC) │ │ Checks │ │ │ │
│ └─────────┘ └──────────┘ └───────────┘ └───────────┘ │
└────────────────────────┬────────────────────────────────┘
▼
┌─────────────────────────────────────────────────────────┐
│ LAYER 4: DATA │
│ ┌─────────┐ ┌──────────┐ ┌───────────┐ ┌───────────┐ │
│ │ Encrypt │ │ Column │ │ Audit │ │ Data │ │
│ │ at Rest │ │ Masking │ │ Logging │ │ Classif. │ │
│ └─────────┘ └──────────┘ └───────────┘ └───────────┘ │
└─────────────────────────────────────────────────────────┘
Authentication Method Comparison
| Method | Security Level | Complexity | Use Case | Revocability | Scalability |
|---|---|---|---|---|---|
| API Key | Low | Low | Server-to-server, internal | Per-key revocation | High |
| OAuth 2.0 + OIDC | High | High | User-facing apps, delegated access | Token expiry + revocation | High |
| JWT (self-contained) | Medium-High | Medium | Microservices, stateless auth | Hard (until expiry) | Very high |
| mTLS | Very High | Very High | Service mesh, zero-trust | Certificate revocation (CRL/OCSP) | Medium |
| HMAC Signatures | High | Medium | Webhooks, request integrity | Per-key revocation | High |
| Session Cookies | Medium | Low | Traditional web apps | Server-side invalidation | Medium |
When to Use What
Decision Tree: Authentication Method
│
├── Machine-to-machine, internal?
│ ├── Zero-trust environment? → mTLS
│ ├── Need request integrity? → HMAC Signatures
│ └── Simple internal call? → API Key + network restriction
│
├── User-facing application?
│ ├── Third-party access delegation? → OAuth 2.0
│ ├── Single-page app / mobile? → OAuth 2.0 + PKCE
│ └── Traditional server-rendered? → Session Cookies
│
└── Microservice-to-microservice?
├── Service mesh in place? → mTLS (Istio/Linkerd)
└── No mesh? → JWT with short expiry + rotation
OWASP API Security Top 10 (2023)
| Rank | Risk | Description | Mitigation |
|---|---|---|---|
| API1 | Broken Object Level Authorization | Accessing other users' data via ID manipulation | Enforce authorization checks per object, not just endpoint |
| API2 | Broken Authentication | Weak auth mechanisms or implementation flaws | Use proven auth libraries, enforce MFA, rate-limit login |
| API3 | Broken Object Property Level Authorization | Mass assignment, exposing internal fields | Explicit allowlists for input/output fields |
| API4 | Unrestricted Resource Consumption | No limits on request size, rate, or pagination | Rate limiting, pagination caps, request size limits |
| API5 | Broken Function Level Authorization | Accessing admin endpoints without admin role | RBAC enforcement at function/endpoint level |
| API6 | Unrestricted Access to Sensitive Business Flows | Automated abuse of business logic (scalping, spam) | Bot detection, CAPTCHA, business-logic rate limits |
| API7 | Server Side Request Forgery (SSRF) | API fetches attacker-controlled URLs | URL allowlisting, disable redirects, network segmentation |
| API8 | Security Misconfiguration | Default configs, verbose errors, missing headers | Security hardening checklists, automated scanning |
| API9 | Improper Inventory Management | Shadow APIs, undocumented endpoints | API discovery scanning, OpenAPI spec enforcement |
| API10 | Unsafe Consumption of APIs | Trusting third-party API responses without validation | Validate all external inputs, use timeouts and circuit breakers |
Rate Limiting Strategy Matrix
| Strategy | How It Works | Pros | Cons | Best For |
|---|---|---|---|---|
| Fixed Window | N requests per time window | Simple to implement | Burst at window edges | Low-traffic APIs |
| Sliding Window | Rolling count over time period | Smoother distribution | More memory/compute | General purpose |
| Token Bucket | Tokens replenish at fixed rate | Allows controlled bursts | Slightly complex | APIs with bursty traffic |
| Leaky Bucket | Requests processed at fixed rate | Perfectly smooth output | No burst tolerance | Strict throughput control |
| Adaptive | Limits adjust based on load | Resilient to traffic spikes | Complex to tune | High-scale production |
Tool Comparison
| Category | Tool | Type | Strengths | Best For |
|---|---|---|---|---|
| API Gateway | Kong | OSS + Enterprise | Plugin ecosystem, Lua extensibility | Multi-protocol APIs |
| API Gateway | AWS API Gateway | Managed | Native AWS integration | AWS-native architectures |
| API Gateway | Envoy / Istio | OSS | Service mesh, mTLS native | Kubernetes environments |
| Auth Provider | Auth0 / Okta | SaaS | Fast integration, social login | User-facing applications |
| Auth Provider | Keycloak | OSS | Full OIDC/SAML, self-hosted | On-prem or privacy-sensitive |
| WAF | AWS WAF | Managed | CloudFront integration | AWS workloads |
| WAF | Cloudflare WAF | SaaS | Global edge, easy setup | Web-facing APIs |
| Scanning | OWASP ZAP | OSS | Free, CI/CD integration | Development/testing |
| Scanning | Burp Suite | Commercial | Deep manual testing | Security teams |
| API Discovery | Apiiro / Traceable | SaaS | Runtime API discovery | Shadow API detection |
Resources
- OWASP API Security Top 10 (2023) -- the definitive risk catalog
- API Security in Action (Manning) -- comprehensive implementation guide
- OAuth 2.0 Simplified (Aaron Parecki) -- clear OAuth reference
- Zero Trust Architecture (NIST SP 800-207) -- zero trust framework :::