Ask HN: How you do secure your APIs?

16 points by cmdli ↗ HN
I'm looking into adding an API to a small project that I am working on and am wondering how y'all secure your APIs.

Do you use API keys? OAuth? Any tools/services that make it easier?

10 comments

[ 3.6 ms ] story [ 35.9 ms ] thread
oauth

IdentityServer4 for .NET

authlib for python/flask

Nginx implemented with a reverse proxy, with a sub request to the built in auth module.

Basically, you can forward portions of a http request (cookie or bearer token) to another service not accessible directly by the user. That serverice responds with a 200 or not, and the request is allowed, or not.

It's real simple, I've hooked something up to the discord API and other methods like this. Usually, one uses a already built identity system with RBAC built in.

Check out ory kratos and ory oathkeeper. Those fit right in.

https://nginx.org/en/docs/http/ngx_http_auth_request_module....

Granted, you should always validate the authorization on the application side too, but this just adds another layer of security.

We use API keys for all APIs. The keys can be scoped to a tenant, endpoint(s), HTTP methods (GET/POST) and also can be locked down via IP address.

We also use OAuth access tokens for a few of our API endpoints. We're looking at rolling that out through more of our API endpoints.

We have a few APIs that can be called without any authentication at all. With this situation, the data returned is typically a subset of what would be returned if called with an API key.

And finally, basic auth for one API that integrates with Prometheus.

How do you manage your keys? Some manual CRUD thing? Something FOSS? Something that your cloud provider provides?
We have our own custom subsystem for keys as it is a critical part of our application. (So, at the end of the day, in a database the application controls.)
api keys. You can use same system you are using for authenticating users with slight change.
(comment deleted)