Summary
At this point, you understand all the elements of how an API is constructed. We looked at the different types of APIs in common use today and then focused on the specifics of the REST API, namely the HTTP protocol. API security is built on two foundational elements of access control, namely authentication (who is using the API) and authorization (what are they allowed to do with the API). From the origins of simple username/password authentication, we arrived at the OAuth2 framework, which is the workhorse of API access control.
Most API security vulnerabilities have their origins in poorly implemented authentication and authorization controls. We covered a number of high-level recommendations for avoiding these common pitfalls. Finally, we looked at the humble JWT, which forms the basis of API authorization, acting as your digital passport.
In the next chapter, we are going to look at how things can go wrong in practice by taking a deep dive into the most common API...
