One of the most important aspects of developing APIs for the enterprise is ensuring API security - making sure users can access their accounts via the API without leaving their data vulnerable. Early on, APIs did this via basic authorization, or asking the user for their username and password, which was then forwarded to the API by the software consuming it. This, however, created a huge security risk.
Today Open Authorization (OAUTH) - a token authorization system - is the most common API security measure. Unlike basic authorization, OAuth does not allow API client from accessing the users’ information. Instead it relays the user to a page on the destination server where they can enter their credentials, and then returns to the API client an access token for that user.
The benefit of token-based access is that it may be deleted at any time for any reason - a security breach, misuse or even if the user decides they no longer want that service to have access to their account. Access tokens can also be used to restrict permissions, letting the user decide what the application should be able to do with their information or account.
API security principles are well defined, no matter how complex or simple the API. Developers need to make sure that their APIs keep users’ data (usernames and passwords) secure, which means creating a layer of separation between their information and the client. Developers should never request login credentials through public APIs, as doing so makes the user’s information vulnerable.
Download a copy of Undisturbed REST: A Guide to Designing the Perfect API to learn about OAuth systems and guidelines for implementing these and other API security measures into an API project.