Sign Up
Back to Guides
ArchitectureIntermediate45 min read

API Security Architecture

Technical guide to securing REST and GraphQL APIs including authentication, authorization, rate limiting, and protection against OWASP API Security Top 10.

SBK Security Team
Application Security Practice
Updated December 2024

Understanding API Security#

API Security protects the interfaces that power modern applications, mobile apps, and third-party integrations.

Detail Level

This guide covers API security fundamentals: authentication, authorization, input validation, and rate limiting. Focus is on practical implementation patterns.

OWASP API Security Top 10#

The OWASP API Security Top 10 identifies the most critical API security risks. Understanding these guides your security strategy.

Most Common

Broken Object Level Authorization (BOLA) is the most exploited API vulnerability. Every endpoint that accesses user-specific data must verify the requestor owns that data.

API Authentication#

Authentication verifies the identity of API consumers. Choose the right mechanism based on your use case.

Detail Level

Authentication Methods:

  • API Keys: Simple but limited. Use for server-to-server, not user auth.
  • JWT: Stateless tokens. Good for microservices. Validate signature and claims.
  • OAuth 2.0: Industry standard for delegated auth. Use for third-party access.
  • mTLS: Certificate-based. Strongest for service-to-service.
1

Choose Authentication Method

Match authentication to consumer type: API keys for internal services, OAuth for third-party apps, JWT for microservices.

2

Secure Token Management

Use short token lifetimes (15 min access, 7 day refresh). Implement token revocation. Rotate API keys regularly.

3

Protect Credentials

Never expose secrets in URLs or logs. Use secure storage for API keys. Implement proper secret rotation procedures.

API Authorization#

Authorization determines what authenticated users can access. Server-side enforcement is critical.

1

Object-Level Authorization

Verify the authenticated user owns or has access to requested resources. Check on every request, not just endpoints. Don't rely on hidden IDs.

2

Function-Level Authorization

Restrict administrative and privileged functions to appropriate roles. Implement role-based access control (RBAC) or attribute-based access control (ABAC).

3

Property-Level Authorization

Control which properties users can read or modify. Filter responses to exclude sensitive fields. Validate input against allowed properties.

4

Rate-Based Authorization

Different tiers may have different rate limits. Implement usage quotas for API consumers. Track and enforce limits per-consumer.

⚠️

Server-Side Only

All authorization must be enforced server-side. Never trust client assertions about permissions. Client-side checks are UX, not security.

Input Validation#

Validate all input to prevent injection attacks, data corruption, and business logic abuse.

Validation Location

Validate at API gateway for common checks and again in application code for business logic validation. Defense in depth.

Rate Limiting & Throttling#

Rate limiting protects APIs from abuse, DoS attacks, and ensures fair resource distribution.

Detail Level

Rate Limiting Strategies:

  • Fixed Window: Simple counter reset at intervals
  • Sliding Window: Smoother limiting, prevents burst at boundaries
  • Token Bucket: Allows burst capacity with sustained limits
  • Concurrent Limit: Caps simultaneous requests
💡

Granularity

Apply rate limits at multiple levels: per-IP for unauthenticated, per-user for authenticated, per-API-key for partners, per-endpoint for expensive operations.

API Gateway Security#

API gateways centralize security controls and provide consistent enforcement across all APIs.

Gateway + App Security

API gateway security is the first line of defense. Application-level security (especially authorization) must also be implemented. Don't rely solely on gateway controls.

API Security Monitoring#

Monitoring APIs for security threats enables detection and response to attacks in progress.

1

Log API Activity

Log all API requests: endpoint, method, consumer identity, response code, response time. Include sufficient context for security investigation.

2

Detect Anomalies

Monitor for unusual patterns: high error rates, abnormal request volumes, unexpected endpoints, unusual hours. Alert on deviations from baseline.

3

Track Authentication Events

Monitor failed authentication attempts, token refresh patterns, and credential usage across IPs. Detect credential stuffing and account takeover.

4

Alert on Attacks

Configure alerts for: BOLA attempts (sequential ID access), injection patterns, rate limit exceedance, unauthorized function access.

API Discovery

Monitor for undocumented APIs (shadow APIs) that may lack security controls. Inventory all APIs and validate security posture.

Next Steps#

Ready to improve your API security? Here's how to begin.

1

API Inventory

Discover and document all APIs: internal, external, partner. Identify authentication mechanisms and authorization models.

2

Risk Assessment

Evaluate APIs against OWASP API Security Top 10. Prioritize high-risk APIs (public, sensitive data, high volume).

3

Control Implementation

Address highest-risk findings first. Implement gateway controls for broad protection. Add application-level controls for specific vulnerabilities.

Expert Guidance

Our application security practice helps organizations secure their APIs. Schedule a consultation to discuss your API security requirements.
apiauthenticationauthorizationoauthrestgraphql
All Guides