This document discusses different security mechanisms for APIs, including API keys, basic authentication, OAuth 2.0, and mutual TLS (mTLS). API keys function similarly to usernames and passwords for applications to access APIs. Basic authentication is for user authentication to be used with API keys. OAuth 2.0 involves obtaining an access token to access resources, and has two-legged and three-legged flows. It exposes credentials only during the initial handshake, while API keys and basic auth expose them with each request. OAuth 2.0 thus has a lower chance of compromise if a token is stolen, since it is only valid for a limited time.

1. Securing APIs
@spoon

2. Different
Security
mechanism to
protect an API
(defined in
OpenAPI, and
supported by
APIC)
• ApiKey
• basicAuth
• OAuth2
• mTLS *

3. API Key
• Like username/password
for user, apikey is
application-id/application-
secret [optional] for the
application

4. basicAuth
• This is for user
authentication
• use in conjunction
with API Key

5. OAuth
• 2 legged (password &
client-
credential/application/jwt)
vs 3 legged (implicit/code)
• Get a token first
(access_token)
• Use the access_token to
access the resource, until
the token expires

6. Difference • API Key (+BasicAuth)
• Request & Response
• API Key (+BasicAuth) exposed
to the network on each API
invocation
• Compromise : until
APIKey/User credential is
changed
• OAuth
• Get a token (access_token)
• Use the token until it
expires
• Application’s credential &
(optional) user’s credential
is exposed once during the
initial OAuth handshake
• If token is compromised, it
is only for as long as the
token is valid
• Compromise : until APIKey/
User credential is changed
• But with smaller chance that
this may happen