API Security Complete Guide: OWASP Top 10, Authentication, and Best Practices

API keys are simple static tokens for identifying applications, best for server-to-server communication with trusted partners. OAuth 2.0 is a delegation framework allowing users to grant limited access without sharing passwords, ideal for third-party integrations. JWT (JSON Web Tokens) are self-contained tokens carrying claims and signatures, used for stateless authentication. In practice, OAuth often issues JWTs as access tokens. Use API keys for simple integrations, OAuth for user-authorized access, and JWTs for scalable stateless auth.

BOLA (also called IDOR - Insecure Direct Object Reference) occurs when APIs expose internal object IDs without proper authorization checks. Prevent it by:

1. Always verify the authenticated user has permission to access the requested resource
2. Use indirect references or UUIDs instead of sequential IDs
3. Implement authorization checks at every endpoint, not just at the gateway
4. Log and monitor access patterns for anomalies
5. Use attribute-based access control (ABAC) for complex permission models.

Never trust client-provided IDs without server-side validation.

Implement multiple rate limiting layers:

1. Global rate limits per IP address (e.g., 1000 requests/minute)
2. Per-user/API key limits (e.g., 100 requests/minute)
3. Per-endpoint limits for sensitive operations (e.g., 10 login attempts/minute)
4. Concurrent request limits.

Use algorithms like Token Bucket for bursty traffic or Sliding Window for smooth distribution. Return proper 429 Too Many Requests responses with Retry-After headers. Consider tiered limits for different subscription levels.

Validate all API input using a defense-in-depth approach:

1. Define strict schemas using OpenAPI/JSON Schema and reject non-conforming requests
2. Validate data types, lengths, formats, and ranges
3. Use allowlists for enumerated values
4. Sanitize input before database queries (use parameterized queries/ORMs)
5. Encode output to prevent XSS
6. Validate content-type headers match request body
7. Implement request size limits.

Never trust client input - validate on the server even if client-side validation exists.

Secure JWTs by:

1. Use strong signing algorithms (RS256/ES256, not HS256 with weak secrets)
2. Set short expiration times (15 minutes for access tokens)
3. Validate all claims (iss, aud, exp, nbf) on every request
4. Store tokens securely (HttpOnly cookies or secure storage, never localStorage)
5. Implement token revocation via short expiry + refresh tokens or token blacklists
6. Never store sensitive data in JWT payload (it's base64, not encrypted)
7. Use the 'kid' header to support key rotation.

Always validate the signature server-side.

PKCE (Proof Key for Code Exchange) prevents authorization code interception attacks. Implementation:

1. Generate a random code_verifier (43-128 characters)
2. Create code_challenge by SHA256 hashing and base64url encoding the verifier
3. Send code_challenge with authorization request
4. Send code_verifier when exchanging the authorization code for tokens
5. Server validates that SHA256(code_verifier) equals stored code_challenge.

PKCE is now required for all OAuth 2.1 clients, including confidential server-side applications.

Essential API security headers:

1. Strict-Transport-Security (HSTS) - enforce HTTPS
2. X-Content-Type-Options: nosniff - prevent MIME sniffing
3. X-Frame-Options: DENY - prevent clickjacking for HTML responses
4. Content-Security-Policy - restrict resource loading
5. Cache-Control: no-store - prevent caching sensitive data
6. X-Request-ID - correlation ID for debugging/audit trails.

For APIs returning JSON, avoid Content-Disposition: attachment. Configure CORS headers carefully, never use Access-Control-Allow-Origin: *.

GraphQL requires additional security measures:

1. Implement query depth limiting to prevent deeply nested queries that exhaust resources
2. Set query complexity limits based on field costs
3. Disable introspection in production (or restrict to authenticated admins)
4. Use persisted queries to whitelist allowed operations
5. Implement field-level authorization, not just resolver-level
6. Rate limit by query complexity, not just request count
7. Validate and sanitize all variable inputs.

GraphQL's flexibility makes it more prone to denial-of-service through expensive queries.

Log these security-relevant events:

1. All authentication attempts (success/failure) with IP, user-agent, timestamp
2. Authorization failures and access denied events
3. Rate limit violations and blocked requests
4. Input validation failures with sanitized details
5. API errors (4xx/5xx) with request context
6. Admin/privileged operations
7. Data exports and bulk operations
8. Token refresh and revocation events.

Never log passwords, tokens, or full credit card numbers. Use structured logging (JSON) for easier analysis. Correlate with request IDs.