API Authentication and Why It’s Critical for Modern Application Security

What is API Authentication?

API authentication is a process used to verify the identity of a client that is attempting to access an API. Once the identity of an API client is verified, API authorization ensures the client is allowed to access protected resources or perform privileged actions within the API. 

Authentication is typically achieved through the exchange of credentials between the client and the server. These credentials can take many forms, such as API keys, usernames, passwords, or security tokens. The API client must provide these credentials to the API server as part of the authentication process, which then verifies the credentials before granting access to the requested resource.

API authentication is critical for ensuring the security and integrity of an API. Without proper authentication, any user could gain access to sensitive data or perform malicious actions within the API. Authentication is usually used in combination with encryption to further protect against unauthorized access. API authentication is an essential component of any API security strategy, so let’s get to the details.

What is API Authorization?

After API authentication confirms the identity of the user or client making the API request, API authorization determines whether that user or client is allowed to access the requested resource or perform the requested operation.

A user who has been authenticated may attempt to access resources or perform operations that they are not authorized to perform. 

API authorization is necessary to ensure that users or clients are performing operations that are within their allowed privileges. This prevents unauthorized access to sensitive data and actions, such as modifying or deleting data. 

For example, a user authenticates their identity with a username and password when logging in to a Customer Resource Management (CRM) system that the sales team uses to track business opportunities and revenue. Based on the user’s role as a marketer, they aren’t allowed to change certain fields in the system. When the user attempts to change an opportunity’s value, the API authorization fails. 

3 API Authentication Mechanisms

There are several common authentication mechanisms. Today we’ll talk about:

1. HTTP Authentication Schemes
2. Open ID Connect + OAuth 2.0
3. API Keys

HTTP Authentication Schemes

There are a few different flavors of HTTP authentication.

Basic

HTTP basic authentication is a simple challenge and response mechanism. 

How it Works

The server requests credentials, and in response, the client provides a username and password for authentication. The username and password are sent as a single value through an encoded Base64 HTTP authorization header. The authorization header is compared to the stored credentials. If the credentials match, the user will have access to the information. If not, the server will inform the user with a status code like “401 – Unauthorized”.

Bearer

Another HTTP authentication scheme is bearer authentication. It’s also referred to as token authentication because it involves security tokens called bearer tokens. The bearer token is a cryptic string, usually generated by the server, in response to a login request. This mechanism is used in OAuth 2.0 (read on for more) but it can also be used outside that framework.

How it Works

This technique provides every request to the server with a signed token.  Bearer tokens are usually generated by the server when a client logs in to an application. The application validates credentials and provides a signed token to the client. The client stores the token and sends it along with every request.

Benefits/Drawbacks/Best Use

• Benefits
  • Easy and quickest to implement.
  • Supported by any programming language and browser
• Drawbacks
  • Both Basic and Bearer authentication should only be used over HTTPS (SSL) or within a secure network. Without a secure connection, the transmission could be intercepted and username and password information can easily be decoded.
• Best Use
  • HTTPS or secured networks only

Open ID Connect (Authentication) + OAuth 2.0 (Authorization)

OpenID Connect (OIDC)  is an identity authentication protocol and may be used to verify the identity of a user to a client service. The OIDC provider performs user authentication, user consent, and token issuance. The client or service requesting a user’s identity called the Relying Party (RP). An RP can be entities like a web application, a JavaScript application, or a mobile app.

OIDC is built on top of OAuth 2.0, which is an authorization framework that enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its behalf.

How it Works

OIDC uses tokens for both authentication and authorization processes.

The authentication process uses ID tokens, most commonly JSON Web Tokens (JWTs),

The client reads a JWT to prove that the user is authenticated. JWTs contain information about the user, such as their usernames, when they attempted to sign on to the application or service, and the length of time they are allowed to access the online resources.

The authorization process uses access tokens. These tokens can be JWTs but might be in a different format. The access JWT informs the API that the bearer of the token is authorized to access the API and perform the specific actions that are granted.

ID tokens cannot be used for access purposes, and access tokens cannot be used for authentication. 

OAuth Impersonation Flow Courtesy of Atlassian

A Brief Word on JWTs

JWT is an open industry standard used to share information between two entities, usually a client and a server. JWTs offer a compact and self-contained way of transmitting authentication data between parties and are often used in RESTful APIs.  

There are three parts of a JWT: 

1. Header, which has
   1. a) the signing algorithm that’s being used and
   2. b)the type of token, usually “JWT”.
2. Payload, which contains the claims or the JSON object.
3. Signature, a string that is generated by a cryptographic algorithm that can be used to verify the integrity of the payload

Benefits/Drawbacks/Best Use

• Benefits
  • User-friendly – no usernames or passwords needed
  • Portable – supports a range of signature and encryption algorithms
  • Efficient. JWTs contain all the required information about an entity, so there is never more than one database. Plus, JWTs are stored only on the client, which saves database space.
• Drawbacks
  • Can be complex and hard to manage and scale
  • Can be difficult to revoke access before the JWT expiration
• Best use
  • Consumer-focused web and mobile applications, especially “social logins, ” which is essentially single sign-on (SSO) using existing information from a social networking service (Google, Facebook, etc) to sign in to a third-party website instead of creating a new login account.

API Keys

One common method of authentication is through the use of API keys. API keys are typically long, randomly generated strings of characters that are issued to clients when they register with the API. 

How it Works

The API client must provide this key in each API request to authenticate themselves to the API server. The server then verifies the API key against its list of authorized keys before allowing the request to proceed.

Benefits/Drawbacks/Best Use

• Benefits
  • Easy to implement
  • Allows logging of who is accessing an API.
• Drawbacks
  • API keys are accessible to clients, so it’s relatively easy for someone to steal. Once stolen, it has no expiration and can be used until the key is revoked or regenerated.
  • API keys need to be rotated regularly. 
• Best Use
  • Recording API usage for customer billing (e.g., as seen in this OpenWeather billing plan)

Why Security Teams Should Care About API Authentication

Security teams should care about API authentication because it is a critical component of securing API-based applications. With 90% of developers using APIs, they’ve become an attractive target for attackers, who may attempt to exploit vulnerabilities in the API to gain access to sensitive information or perform malicious actions.

API authentication is the first line of defense against such attacks. It ensures that only authorized users can access protected resources or perform privileged actions within the API. Without proper authentication, attackers could gain access to sensitive data or perform malicious actions.

Security teams should also care about API authentication because it helps monitor and track API usage. By requiring authentication for all API requests, security teams can review logs to better understand who is accessing the API, what resources they are accessing, and how often they are accessing them. This information can be used to identify potential threats, monitor suspicious activity, and enforce security policies. 

Benefits of API  Authentication

API authentication helps security teams:

1. Protect against unauthorized access
   1. API authentication ensures that only authorized users or systems can access an API and its resources. Without authentication, any user or system can access the API, which can lead to data breaches and other security incidents.
2. Manage permissions and access 
   1. Authentication helps security teams manage access to specific API resources based on the user’s role and permission level. For instance, certain data resources may be restricted to only authorized personnel, while others may be open to the public.
3. Detect threats
   1. Authentication helps security teams track and monitor API usage, so they can detect suspicious activities and identify potential security threats.

History Lesson: Major API Hacks 

Here’s a list of some major API hacks from the past 7 years:

1. Twitter API hack (July 2020): Attackers gained access to the Twitter API and used it to tweet a Bitcoin scam from high-profile accounts including Barack Obama, Joe Biden, and Elon Musk.
2. T-Mobile API hack (August 2018): Attackers gained access to T-Mobile’s API and stole the sensitive data of over 2 million customers, including names, addresses, and billing information.
3. MyFitnessPal API hack (February 2018): Attackers gained access to MyFitnessPal’s API and stole the login credentials of over 150 million users.
4. Equifax API hack (May 2017): Attackers gained access to Equifax’s API and stole the personal information of over 140 million customers, including Social Security numbers, birthdates, and addresses.
5. Uber API hack (November 2016): Attackers gained access to Uber’s API and stole the personal information of over 57 million customers and drivers, including names, email addresses, and phone numbers.

API Authentication and Authorization In Action

Here’s a real example of why API authentication and authorization are so critical and how Bionic can help you find and fix unauthenticated APIs.

Do you want to learn more about how to identify APIs and how they impact risk in production?

Check out our guide to Application Security Posture Management.