API Security
What is API Security?
API SecurityThe discipline of designing, building and operating application programming interfaces so that authentication, authorization, data exposure and abuse-resistance hold up under attack.
API security covers REST, GraphQL, gRPC and webhook surfaces that often expose business logic directly. It addresses the OWASP API Security Top 10 risks such as Broken Object Level Authorization, Broken Authentication, Excessive Data Exposure, Unrestricted Resource Consumption, and Server-Side Request Forgery. Effective programmes combine strong identity (OAuth 2.0/OIDC, signed JWTs, mTLS, scoped tokens), tight authorization on every object reference, schema-driven request and response validation, rate limiting and quota controls, structured logging, and continuous testing through SAST, DAST and API-specific fuzzing. Discovery and inventory of shadow and zombie APIs are foundational because you cannot defend endpoints you do not know exist.
● Examples
- 01
Validating that the authenticated user owns 'orderId' before returning the order to prevent BOLA/IDOR.
- 02
Enforcing per-token rate limits and request-size caps in front of a GraphQL endpoint.
● Frequently asked questions
What is API Security?
The discipline of designing, building and operating application programming interfaces so that authentication, authorization, data exposure and abuse-resistance hold up under attack. It belongs to the Application Security category of cybersecurity.
What does API Security mean?
The discipline of designing, building and operating application programming interfaces so that authentication, authorization, data exposure and abuse-resistance hold up under attack.
How do you defend against API Security?
Defences for API Security typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for API Security?
Common alternative names include: API security.