Skip to content

API security

The business APIs you deploy, whether used by your internal applications or external partners, must be properly secured and managed. Implementing robust API security is crucial for several reasons. It safeguards sensitive data transmitted via APIs, preventing unauthorized access while ensuring legitimate users have the correct level of access. Moreover, strong API security is vital for maintaining a business’s reputation and customer trust. A single data breach can significantly harm your brand name and erode customer confidence, so preventing cybersecurity incidents not only helps avoid negative media attention but also shows a commitment to protecting user data and privacy. Furthermore, API security ensures compliance with industry-specific regulations such as HIPAA and FAPI.

Asgardeo can secure your APIs and make sure only authorized applications and authorized users can access the APIs. Asgardeo can be integrated with your APIs in two approaches:

  • Asgardeo as OAuth2 Token Service with Access control - In this approach, Asgardeo handles both authentication and authorization. Asgardeo issues access tokens with enforced access control policies (for example scopes issued are based on role-based access control). Your APIs validate the token and trust the access control decisions already made by Asgardeo.

Suitable when,

  • You don't use a dedicated API management platform.

  • You want Asgardeo to enforce access policies.

  • Asgardeo as OAuth2 Token Service only - Use this approach when you integrate Asgardeo as the Identity Provider (IdP) for an API management platform (WSO2 API Manager, Choreo, etc.). Asgardeo issues tokens, but the API management platform enforces authorization for the token.

Suitable when,

  • You already have an API gateway or management platform handling access policies.
  • You want centralized identity management via Asgardeo across different applications and APIs.

Define and secure API resources

Define your APIs and associated permissions as scopes in Asgardeo using the console or API, and attach the authorization policies.

Note

Learn more about supported Authorization policies for APIs and apps

Authorize applications to use APIs

Authorize applications to consume API resources and define their access level by assigning a set of scopes.

Tip

If your application needs FAPI compliance for API access, Asgardeo simplifies the process with a one-click, FAPI-compliant option. This feature ensures that all necessary security configurations for FAPI compliance are automatically applied to your app. Learn more about FAPI-compliant apps.

Define application level roles as per your business requirements and assign selected scopes from the previous step. You can create both application-level roles and organizational-level roles. These roles can be assigned to users and user groups so that their access to the API is restricted based on roles.

Define application-level roles based on your business needs, and assign relevant scopes that you selected in the previous step. You can create both application-specific roles and organization-wide roles, which can be applied to users or user groups to ensure access to APIs is restricted and managed according to roles.

Simplify token generation and verification

Use Asgardeo SDKs for your preferred web application framework to request access tokens while also managing user sign-ins. Asgardeo SDKs allow you to request specific scopes, representing different access levels within the APIs. Asgardeo applies authorization policies to each token request, ensuring that applications only receive the scopes authorized for the current user and app. The SDKs also handle token verification complexities, so you won’t need to write additional code for token processing and verification. Explore the full range of SDKs supported by Asgardeo.

Alternatively, you can use any OAuth2/OIDC framework to create token requests and manage tokens on your own.

You can use one of the following methods to verify tokens during the token verification process, typically done at the API gateway level or within the API implementation if no gateway is used:

  • Signature Verification - Verify the token's signature and validity directly. Asgardeo provides a JWKS (JSON Web Key Set) endpoint, allowing you to retrieve the public key associated with the private key used for signing. This method doesn't require additional network calls to Asgardeo, ensuring optimal performance.
  • Token Introspection - Verify the token's validity and gain additional token details by calling Asgardeo's introspection endpoint. While this approach involves extra network calls, it offers additional security, such as checking whether the token has been revoked.

If you are using an API management solution that provides API authorization along with other management capabilities, you can easily integrate Asgardeo as an identity provider for token generation. This is a common approach when you want to leverage Asgardeo as the customer or workforce identity provider across applications and APIs.