The Different Levels of API Security: From 0 to Advanced
August 01, 2023

Gary Archer
Curity

APIs (Application Programming Interfaces) are incredibly important in today's digital landscape. They play a crucial role in enabling communication and interaction between different software applications, systems, and services. Due to the increasing reliance on APIs, they have gradually become the top target for hackers. As such, enterprises are placing more emphasis on API security to protect the integrity of data and services, build trust and confidence, and mitigate future risks.

This blog will explore the different levels of API security by examining the API Security Maturity Model, a framework in which security and trust increase according to each level. The higher up on the model, the better organizations are equipped to protect their systems more efficiently.

The API Security Maturity Model is divided into four layers:

Level 0: API Keys and Basic Authentication

Level 1: Token-Based Authentication

Level 2: Token-Based Authorization

Level 3: Centralized Trust Using Claims


Level 0: API Keys and Basic Authentication

API keys and basic authentication, common methods for API security, are considered level 0. Both of these methods provide authentication to protect API resources. However, API keys can easily be compromised as they can only verify from machine to machine without considering the user's identity. In many cases, API keys are not renewed, so an attacker can use them maliciously for a long time.

In addition, API keys and basic authentication don't cover the authorization process. Authorization is vital as it helps determine the actions the user can perform within a system and whether they have permission to access certain resources or data.


Level 1: Token-Based Authentication

Token-based authentication is a user authentication method commonly used in web applications and APIs. Instead of using traditional username and password credentials, token-based authentication relies on access tokens to authenticate users and grant them access to protected resources. However, anyone with the access token can modify the API and gain access to the protected resources, as authorization is still not part of the process.


Level 2: Token-Based Authorization

In level 2 of the API Security Maturity Model, a token-based architecture is used for authorization. Token-based authorization is a method of controlling access to resources in web applications and APIs based on the presence and validity of a token. This token is generated during the authentication process and contains information about the user's identity and permissions.

APIs in level 2 use OAuth 2.0, an industry-standard authentication and authorization protocol used to grant third-party applications limited access to user resources on a web service without requiring the user to share their login credentials directly with the application. One of the advantages of OAuth is Scopes. Scopes enable access tokens issued to clients to use only restricted privileges.

The main issue with level 2 is that not all values used for API authorization are supplied securely. Even though a token is used to access a user's resources, other values may be passed in plain HTTP headers or URL path segments. A malicious party could potentially alter these values to elevate their privileges.

Level 3: Centralized Trust Using Claims

Level 3 is the most advanced tier of the API Security Maturity model, thus providing the highest level of security for your APIs. At this level, the API receives all secure values in access tokens delivered in a JSON web token (JWT) format. If these values are altered, the JWT will fail cryptographic validation. Such values are called claims and might include a user ID, company ID, and roles. Claims aid in the authorization or authentication of a user by providing more contextual information regarding the issued token and who the issuer is. Claims help to build an identity-based API security system that validates the identity of the user and their level of access to applications, resources, or services.

Conclusion

It is now more critical than ever for enterprises to adopt robust API security practices to protect their resources and users. The API security maturity model delineates the different levels of API security from very basic to advanced implementations. As explained, API keys are not adequate to secure modern APIs. An identity-centric approach based on claims is required to ensure the highest level of authentication and authorization of the user.

Gary Archer is Product Marketing Engineer at Curity
Share this

Industry News

January 28, 2025

Perforce Software announced the launch of AI Validation, a new capability within its Perfecto continuous testing platform for web and mobile applications.

January 28, 2025

Mirantis announced the launch of Rockoon, an open-source project that simplifies OpenStack management on Kubernetes.

January 28, 2025

Endor Labs announced a new feature, AI Model Discovery, enabling organizations to discover the AI models already in use across their applications, and to set and enforce security policies over which models are permitted.

January 27, 2025

Qt Group is launching Qt AI Assistant, an experimental tool for streamlining cross-platform user interface (UI) development.

January 27, 2025

Sonatype announced its integration with Buy with AWS, a new feature now available through AWS Marketplace.

January 27, 2025

Endor Labs, Aikido Security, Arnica, Amplify, Kodem, Legit, Mobb and Orca Security have launched Opengrep to ensure static code analysis remains truly open, accessible and innovative for everyone:

January 23, 2025

Progress announced the launch of Progress Data Cloud, a managed Data Platform as a Service designed to simplify enterprise data and artificial intelligence (AI) operations in the cloud.

January 23, 2025

Sonar announced the release of its latest Long-Term Active (LTA) version, SonarQube Server 2025 Release 1 (2025.1).

January 23, 2025

Idera announced the launch of Sembi, a multi-brand entity created to unify its premier software quality and security solutions under a single umbrella.

January 22, 2025

Postman announced the Postman AI Agent Builder, a suite empowering developers to quickly design, test, and deploy intelligent agents by combining LLMs, APIs, and workflows into a unified solution.

January 22, 2025

The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, announced the graduation of CubeFS.

January 21, 2025

BrowserStack and Bitrise announced a strategic partnership to revolutionize mobile app quality assurance.

January 21, 2025

Render raised $80M in Series C funding.

January 16, 2025

Mendix, a Siemens business, announced the general availability of Mendix 10.18.

January 16, 2025

Red Hat announced the general availability of Red Hat OpenShift Virtualization Engine, a new edition of Red Hat OpenShift that provides a dedicated way for organizations to access the proven virtualization functionality already available within Red Hat OpenShift.