The use of application programming interfaces (APIs) has exploded as businesses deploy mobile apps, containers, serverless computing, microservices, and expand their cloud presence. Consequently, many APIs are developed and deployed very quickly, leading to the persistence of coding errors, with poor authentication practices numbering among the top offenses.
APIs are stateless in nature, and any gap or weakness can allow an attacker to gain unauthorized access to applications or to exfiltrate data. Authenticating an API requires the developer to have a complete understanding of the transaction – from the user interaction through to the outcome – so it requires them to go beyond the limits of the API specification itself. The chosen authentication protocol will seek to verify the identity of the client attempting to connect before authorization is used to allow the connection to an application to take place.
