Security

➢ API security means protecting the data and resources it provides from
unauthorized access. It ensures that only the right people or apps can
access the API, keeping data safe and private
 Authentication Vs Authorization
➢ Authentication is the process of verifying the identity of a user or system. It
answers the question, "Who are you?

➢ Authorization means what Authenticated user can do we can say this

is the permission for a particular user to perform some definite action.

Overall we can say Authentication is about confirming who you are, authorization is
about defining what you can do once your identity is confirmed
➢ Types of Authentication
Basic Authentication

Bearer Token Authentication

API Key

OAuth 2.0

JWT
Basic Authentication

➢ Basic Authentication is a straightforward way to verify

your identity using a username and password. The
credentials are sent encoded but not encrypted, so it’s
important to use it over a secure connection (HTTPS)
❖DISADVANTAGE :
Basic Authentication sends credentials (username and password) encoded in
Base64, not encrypted. This means the credentials can be easily decoded if
intercepted.
Bearer Token Authentication

A type of access token that provides authentication and

authorization to access protected resources. The term
"bearer" means that whoever possesses the token can
access the resources it grants, without needing additional
credentials
 An API key is a string of characters (usually a combination of letters and
numbers) that is passed along with an API request to identify the calling client
(like an app or a user).

API Key: API keys are plain text strings, meaning they have no built-in mechanism for verifying their authenticity or
integrity. The server simply checks if the key matches a stored value.
Bearer Token: Bearer tokens like JWTs are signed using a secret key or a public/private key pair. The signature
allows the server to verify that the token is genuine and has not been altered.
API Key: Typically, API keys grant broad access without specifying what actions can be performed, leading to
potential security risks.
Bearer Token: Bearer tokens can carry specific claims that define what the token bearer can and cannot do, allowing
for fine-grained access control.
Less Secure Than Bearer Tokens: API keys are simpler and less secure than bearer tokens
because they do not provide encrypted information about the user or session.
API Key: API keys do not typically have an expiration date, meaning they remain valid until explicitly revoked by
the server. This makes API keys vulnerable to misuse if they are leaked or stolen, as they can be used indefinitely.

Bearer Token: Bearer tokens, such as JWTs, include an expiration time ("exp") that automatically limits their
validity period. This reduces the risk window if the token is compromised.
OAuth 2.0
➢ Outh stands for open authenticaton . It is a framework.
➢ OAuth 2.0 is like a permission slip. It lets you give one app access to
your data or resources stored in another app without sharing your
password with the first app.
➢ OAuth 2.0 is like a permission slip. It lets you give one app access to
your data or resources stored in another app without sharing your
password with the first app. Means When you want a third-party app to
access your information from another service. For example, when you
use a Instagram app that needs access to your FB , OAuth 2.0 lets you
grant that access securely.
➢ OAuth 2.0 focuses on authorization (allowing apps to access resources)
rather than authentication (verifying who you are).
➢ Tokens: Instead of using your password, OAuth 2.0 uses tokens to
grant and manage access.
 OAuth 2.0 Terminology
➢ Resource Owner: The user who owns the data (you OR google
drive).
➢ Client : The application that requests access to the data
(a third-party app like: Photo Editor (Imgur) .
➢ Authorization Server : The server that authenticates the user and issues
tokens (e.g., Keycloak, Google Oauth ).

➢ Resource Server : The server where the protected resources are hosted
and accessed using tokens (e.g., Google API for user data).

➢ Access Token : A short-lived token issued by the authorization server

to access the resource server.

➢ Refresh Token : A long-lived token that can be used to get a new

access token when the current one expires.