How to Build an API with Security in Mind

Ensure your API design includes authentication, authorization, and auditing.

Jiri De Jagere Jiri De Jagere

Application programming interfaces (APIs) are the preferred means of connecting modern applications and have become an indispensable part of application development. Businesses rely on them to share data with developers, third parties, and customers. However, the data they handle and the endpoints they access also make them an attractive target for hackers looking to illegally access sensitive organization data.

While you can add security features to APIs during or after deployment, it’s often not enough. To properly secure them, you need to include security in the design phase and build it from the ground up. This gives you a better chance of protecting your API from threats.

This article will discuss building a security-focused API from the ground up. We’ll also look at the components that make up a secure API.

Build APIs with a security foundation

Security is a constantly evolving challenge. Cybercriminals are always looking for new ways to exploit vulnerabilities to their benefit. This is why it is important to consider security requirements from the beginning. You must deliberately design what should and what should not be allowed rather than trying to patch things further on in the process.

Design security

Building a secure API starts before a developer writes their first line of code. It begins when they design how the API will work, who it will serve, and what information it’ll carry. So, this should be addressed before development is in full swing. Thinking about it this way allows for the seamless application of security controls and practices as you build the API. 

One group that is almost always going to be affected by additional API security measures is the users. For instance, some security measures will require them to provide their credentials regularly. This jumping through hoops degrades the user experience. That’s why engaging users in the initial design stage is essential. It will help you understand their sentiments on different security options you might consider for your API. 

At the same time, you have to factor in the impact of security on the application’s performance. For instance, adding security mechanisms, such as encryption and signatures, increases an API’s latency. API product managers should understand such implications well in the API design phase. It helps them communicate the speed and security trade-off to the API users.

Security focal points

There are three focal points that a developer has to consider while creating a secure API. They include authentication, authorization, and auditing. Let’s discuss what each one entails.

1. Authentication

Authentication involves determining who a user is. Some methods that can be used to authenticate API users include API keys, HTTP basic authentication, OAuth authentication, and Multi-Factor authentication (MFA). 

  • HTTP basic authentication: This involves combining a username and a password, encoding them, and including them as a special HTTP header in every request. Before a server can process a request, it verifies the client’s identity using the sent credentials. 
  • API key authentication: This involves including a key with a long series of numbers and letters in the header of every request. The server grants an API key to each user and identifies the client making that request using their API key. 
  • OAuth authentication: This mechanism generates a token for each client once they login into a system. The client then uses that token to identify themselves to the server while making requests. You can use this method to authenticate users of one application on behalf of another. An example of this includes logging in to applications using your Facebook account, Google account, or GitHub account. 
  • Multi-factor authentication (MFA): This method sends a one-time password (OTP) to clients wishing to access the API via push notification or SMS. The most commonly used OTP is the time-based one-time password (TOTP) which is only valid for a limited time. It sends the code after the user sends valid credentials. It provides an extra security layer to the API and minimizes the risk of hackers using stolen credentials. 

 A robust authentication mechanism should confirm the identity of clients making API requests reliably, safely, and quickly. Additionally, it should rely on more than just usernames and passwords.

2. Authorization

API authorization involves determining what an authenticated user can access and making it available to them securely. The process involves checking if the client making a request has permission to perform the requested action. 

Broken Object-Level Authorization (BOLA) and Broken Function-level Authorization (BFLA)–both included in the OWASP API Security Top 10–can pose serious security risks to an API. BOLA occurs when an API fails to properly enforce access controls on resources or objects, allowing a client with restricted privileges to gain unauthorized access to them.  

Broken Function-Level Authorization (BFLA) occurs when an API fails to properly enforce access controls on specific API functions or operations, allowing a client with restricted privileges to gain unauthorized access to them. Both BOLA and BFLA can lead to data breaches, data modification or destruction, and other malicious activities that can seriously impact the security and integrity of an API and its users’ data. 

To counteract these potential security risks, an API can use role-based access control (RBAC) or attribute-based access control (ABAC) as its access control model. 

  • RBAC: This model checks the client’s role to determine what they can access and the actions they can perform. The roles should therefore be in alignment with the business logic. For instance, a user trying an API may have a free_trial_user role which limits them from accessing some of the features that a premium_user role can access. 
  • ABAC: This model determines what a client can access based on attributes associated with a user, an environment, or a resource. For instance, you can restrict users from accessing a resource by adding an attribute such as grant_access: false.

3. Auditing

Logging and auditing all client requests is a critical component of API security. It allows you to analyze incoming traffic and identify usage patterns. You can use such data to identify attacks and evaluate their impact. 

The lack of a proper audit system can make you miss attempted and successful attacks. That’s because hackers can successfully execute an API attack without triggering any security alerts. Therefore, continuous auditing is critical in monitoring and improving an API’s security posture.

Tips for secure building

API security is a critical responsibility of any organization dealing with sensitive data. Failure to properly secure an API can expose user data, which in most cases would be a violation of user privacy laws. It can lead to the business being sued or charged huge fines by regulators. 

Below are a few tips on how to build a secure API: 

  • Use an API gateway: This is a gatekeeper between the clients and the organization’s backend. It eliminates a direct connection between the client and the backend microservices and thus reduces the chances of a successful attack. It improves API security by decoupling API endpoints and adding a robust usage monitoring mechanism. 
  • Layer your security: You need to organize your security to maximize the chances of stopping an attack. For instance, input validation, data encryption, API gateway, and RBAC can work together as layers to protect your API. The layering makes it harder to abuse the API as each layer enforces strict rules for how it should be used.  
  • Limit each API call reach: Minimize the data requested by each call to only what is needed. Also, minimize the data sent as responses by the server to only what is required. By deliberately designing your response schemas before you start development, you can reduce the chances of sensitive data exposure and possible damage in case of a breach. 
  • Rate limiting: By limiting the number of requests over time by a user to “normal” levels, you prevent brute-force or spraying attacks by making them hard to execute at volume.

Software AG API Security

Software AG helps companies build secure and reliable APIs. Its webMethods API Gateway enables companies to expose their APIs endpoints securely. It makes it possible to securely connect their backend to third-party developers, partners, and consumers. 

webMethods API Gateway supports REST-based, SOAP-based, GraphQL, and OData APIs. It provides complete run-time protection and a web-based user interface to perform API-related tasks.


The increase in API attacks has made API security so critical that businesses can’t afford to make it an afterthought. They have to consider security in the API design stage because it minimizes the chance of a successful attack. 

A business should protect their API endpoints by using an API gateway that provides robust authentication, authorization, and continuous auditing capabilities. 

Check out Software AG to learn more about our API security tools.