Last updated: 2 minutes read.

Authentication is the process of identifying API clients. It’s a broad topic, with many approaches to choose from. Choosing the right approach is important, as it forms a fundamental part of the overall security strategy. The decision depends on many risk factors; users, functionality, data, accessibility and compliance, to name just a few. While there isn’t necessarily a single, correct choice, it’s usually safe to assume that some form of authentication is needed, as it’s a crucial prerequisite in performing subsequent identity-based authorisation checks.

Implement Appropriate Authentication

Choose a suitable authentication approach based on the risk profile of the API. Is it publicly accessible or internal? Does it require user interaction or is it machine to machine? How sensitive is the data and functionality provided by the API? Simplistic approaches, such as Bearer Tokens, can work for low risk, basic APIs, but for higher risk or more sophisticated APIs, it may be more appropriate to use a standards-based approach such as OAuth 2.0 or OpenID Connect. Furthermore, using an external identity provider can deliver additional benefits, such as single sign-on, as well as multi-factor authentication approaches such as biometric verification.

Handle Data Securely

Don’t undermine the authentication process by leaking sensitive authentication data. Use transport layer security and hashing to prevent credentials from being intercepted and stolen through insecure transmission and storage. These principles also apply to upstream requests made by the gateway and upstream API to other APIs and services.

Enforce Good Practices

Establish rules that reduce risk and enhance overall system security. Use password policies to prevent the use of weak passwords, and TLS policies to prevent the use of older TLS versions that are now deprecated and considered vulnerable.

Protect Sensitive Endpoints

Reduce susceptibility of sensitive endpoints to brute force dictionary or password stuffing attacks. The typical target for this type of attack are endpoints that use credentials, such as login and password recovery. Unfortunately, anonymous access is required for these endpoints, so authentication cannot be used to protect them, so the best approach is to hinder access by using techniques such as rate limiting, captcha and one-time URLs.