API Security Best Practices
APIs are the interfaces through which systems communicate. A poorly secured API is a wide-open door into your data and systems. This article explains the security practices we apply to every API we build.
Authentication and Authorisation
- All API endpoints must be authenticated: No endpoint should be publicly accessible without authentication unless it is explicitly intended to be public
- JWT tokens: For stateless authentication, we use JSON Web Tokens with appropriate expiry times and proper signature verification
- API keys: For machine-to-machine communication, we issue API keys with limited scope and support key rotation without downtime
- OAuth 2.0: For user-delegated access (allowing third-party apps to access data on a user's behalf)
Authorisation Checks
Every API endpoint must check not just that the caller is authenticated, but that they are authorised to perform the specific action on the specific resource. Broken object-level authorisation (BOLA) — where users can access other users' data by changing an ID in the URL — is the most common API vulnerability.
Rate Limiting
APIs must implement rate limiting to prevent brute force attacks, credential stuffing, and abuse. We implement rate limiting at both the API gateway and application level.
Input Validation
All API inputs are validated against a strict schema. Unexpected fields are rejected. All values are validated for type, format, and range before processing.
Output Filtering
API responses should return only the data the caller is authorised to see — not entire database records with all fields. We explicitly define response schemas and filter sensitive fields.