HACKER Q&A
📣 cmdli

How you do secure your APIs?


I'm looking into adding an API to a small project that I am working on and am wondering how y'all secure your APIs.

Do you use API keys? OAuth? Any tools/services that make it easier?

  👤 tragictrash Accepted Answer ✓
Nginx implemented with a reverse proxy, with a sub request to the built in auth module.

Basically, you can forward portions of a http request (cookie or bearer token) to another service not accessible directly by the user. That serverice responds with a 200 or not, and the request is allowed, or not.

It's real simple, I've hooked something up to the discord API and other methods like this. Usually, one uses a already built identity system with RBAC built in.

Check out ory kratos and ory oathkeeper. Those fit right in.

https://nginx.org/en/docs/http/ngx_http_auth_request_module....

Granted, you should always validate the authorization on the application side too, but this just adds another layer of security.

👤 mooreds
We use API keys for all APIs. The keys can be scoped to a tenant, endpoint(s), HTTP methods (GET/POST) and also can be locked down via IP address.

We also use OAuth access tokens for a few of our API endpoints. We're looking at rolling that out through more of our API endpoints.

We have a few APIs that can be called without any authentication at all. With this situation, the data returned is typically a subset of what would be returned if called with an API key.

And finally, basic auth for one API that integrates with Prometheus.

👤 newusertoday
api keys. You can use same system you are using for authenticating users with slight change.
👤 saradhi
API Keys
👤 yuppie_scum
WAF
👤 grandpoobah
oauth

IdentityServer4 for .NET

authlib for python/flask