API Security Best Practices - Complete Developer Guide 2026
API Security Best Practices - Complete Developer Guide 2026
Master API security with this comprehensive guide covering authentication, authorization, rate limiting, input validation, OWASP API Top 10, and practical implementation examples for building secure APIs.
Introduction: Why API Security Matters More Than Ever
APIs are the backbone of modern software. They power mobile applications, connect microservices, enable third-party integrations, and expose data to the world. But with this power comes significant risk. A single API vulnerability can expose millions of user records, enable unauthorized access to critical systems, or allow attackers to manipulate your application in ways you never anticipated.
In 2026, API attacks are among the most common and damaging types of security incidents. The increasing adoption of microservices architectures means more APIs, more endpoints, and more attack surface. This guide provides a comprehensive, practical approach to API security -- covering everything from authentication and authorization to rate limiting, input validation, and the OWASP API Security Top 10.
Whether you are building REST APIs, GraphQL endpoints, or gRPC services, the principles in this guide apply. And when you need to debug or validate your API data, tools like our JSON Formatter and Base64 Encoder/Decoder can help you inspect payloads and tokens.
Authentication: Verifying Identity
Authentication is the process of verifying who is making a request. Getting it right is the foundation of API security.
JSON Web Tokens (JWT)
JWTs are the most common authentication mechanism for APIs. They are self-contained tokens that include claims about the user and are cryptographically signed.
How JWTs Work:
- User provides credentials (username/password, OAuth flow, etc.)
- Server validates credentials and issues a signed JWT
- Client includes the JWT in subsequent requests via the
Authorizationheader - Server validates the JWT signature and extracts claims
// JWT structure: header.payload.signature
// Each part is Base64URL encoded
// Header
{
"alg": "RS256",
"typ": "JWT",
"kid": "key-id-123"
}
// Payload
{
"sub": "user-123",
"email": "user@example.com",
"roles": ["admin", "user"],
"iat": 1710590400,
"exp": 1710594000,
"iss": "https://auth.example.com"
}
// Signature
RSASHA256(
base64UrlEncode(header) + "." + base64UrlEncode(payload),
privateKey
)
You can decode and inspect JWT tokens using our Base64 Encoder/Decoder -- remember that JWTs use Base64URL encoding, a variant of standard Base64.
JWT Best Practices:
| Practice | Reason |
|---|---|
| Use RS256 or ES256, not HS256 | Asymmetric algorithms prevent token forgery even if the public key is exposed |
| Set short expiration times | Limits the window of attack if a token is compromised |
Include an iss (issuer) claim | Prevents tokens from one service being used with another |
Include a jti (JWT ID) claim | Enables token revocation and replay detection |
| Never store sensitive data in the payload | JWTs are encoded, not encrypted -- anyone can read the payload |
| Validate all claims on every request | Do not trust the token contents without verification |
| Use a key rotation strategy | Regularly rotate signing keys using the kid header |
OAuth 2.0 and OpenID Connect
OAuth 2.0 is the industry standard for authorization, while OpenID Connect (OIDC) adds an authentication layer on top. Together, they provide a comprehensive framework for securing APIs.
Key OAuth 2.0 Flows:
- Authorization Code Flow with PKCE: The recommended flow for web and mobile applications
- Client Credentials Flow: For server-to-server communication
- Device Authorization Flow: For devices with limited input capabilities
// Authorization Code Flow with PKCE
// Step 1: Generate code verifier and challenge
const codeVerifier = generateRandomString(64);
const codeChallenge = base64url(sha256(codeVerifier));
// Step 2: Redirect to authorization endpoint
const authUrl = new URL('https://auth.example.com/authorize');
authUrl.searchParams.set('response_type', 'code');
authUrl.searchParams.set('client_id', 'your-client-id');
authUrl.searchParams.set('redirect_uri', 'https://app.example.com/callback');
authUrl.searchParams.set('scope', 'openid profile email');
authUrl.searchParams.set('code_challenge', codeChallenge);
authUrl.searchParams.set('code_challenge_method', 'S256');
authUrl.searchParams.set('state', generateRandomString(32));
// Step 3: Exchange authorization code for tokens
const tokenResponse = await fetch('https://auth.example.com/token', {
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
body: new URLSearchParams({
grant_type: 'authorization_code',
code: authorizationCode,
redirect_uri: 'https://app.example.com/callback',
client_id: 'your-client-id',
code_verifier: codeVerifier,
}),
});
API Keys
API keys are simple but limited. They identify the calling application but do not authenticate individual users.
When to use API keys:
- Identifying which application is making requests
- Tracking API usage and enforcing quotas
- Rate limiting by application
- Public APIs with low security requirements
API Key Best Practices:
- Never expose API keys in client-side code or URLs
- Use different keys for development, staging, and production
- Implement key rotation without downtime
- Hash API keys when storing them in your database
- Set appropriate scopes and permissions for each key
// Middleware for API key validation
async function validateApiKey(req, res, next) {
const apiKey = req.headers['x-api-key'];
if (!apiKey) {
return res.status(401).json({ error: 'API key required' });
}
const hashedKey = sha256(apiKey);
const keyRecord = await db.apiKeys.findByHash(hashedKey);
if (!keyRecord || keyRecord.revoked) {
return res.status(403).json({ error: 'Invalid API key' });
}
if (keyRecord.expiresAt < new Date()) {
return res.status(403).json({ error: 'API key expired' });
}
req.apiKeyRecord = keyRecord;
next();
}
Authorization: Controlling Access
Authentication tells you who someone is; authorization tells you what they are allowed to do. They are often confused, but they are fundamentally different concerns.
Role-Based Access Control (RBAC)
RBAC assigns permissions to roles, and users are assigned to roles. This is the simplest and most common authorization model.
// Role-based middleware
const permissions = {
admin: ['read', 'write', 'delete', 'manage_users'],
editor: ['read', 'write'],
viewer: ['read'],
};
function requirePermission(permission) {
return (req, res, next) => {
const userRoles = req.user.roles;
const hasPermission = userRoles.some(
role => permissions[role]?.includes(permission)
);
if (!hasPermission) {
return res.status(403).json({
error: 'Insufficient permissions',
required: permission,
});
}
next();
};
}
// Usage
app.delete('/api/posts/:id', requirePermission('delete'), deletePost);
app.get('/api/posts', requirePermission('read'), listPosts);
Attribute-Based Access Control (ABAC)
ABAC evaluates policies based on attributes of the user, resource, action, and environment. It is more flexible than RBAC but also more complex.
// ABAC policy evaluation
function evaluatePolicy(user, resource, action, environment) {
const policies = [
// Users can edit their own posts
{
effect: 'allow',
condition: (u, r, a) =>
a === 'edit' && r.type === 'post' && r.authorId === u.id,
},
// Admins can do anything
{
effect: 'allow',
condition: (u) => u.roles.includes('admin'),
},
// No access outside business hours for non-admins
{
effect: 'deny',
condition: (u, r, a, env) => {
const hour = env.currentTime.getHours();
return !u.roles.includes('admin') && (hour < 9 || hour > 17);
},
},
];
// Deny by default
let result = 'deny';
for (const policy of policies) {
const matches = policy.condition(user, resource, action, environment);
if (matches) {
if (policy.effect === 'deny') return 'deny';
result = 'allow';
}
}
return result;
}
Rate Limiting and Throttling
Rate limiting prevents abuse and ensures fair usage of your API. It is essential for both security and reliability.
Rate Limiting Strategies
| Strategy | Description | Best For |
|---|---|---|
| Fixed Window | Count requests per time window | Simple APIs |
| Sliding Window | Rolling count over time | More accurate limiting |
| Token Bucket | Tokens refill at a fixed rate | Allowing bursts |
| Leaky Bucket | Requests processed at a fixed rate | Smooth throughput |
Implementing Rate Limiting
// Token bucket rate limiter using Redis
class TokenBucketRateLimiter {
constructor(redis, options) {
this.redis = redis;
this.maxTokens = options.maxTokens || 100;
this.refillRate = options.refillRate || 10; // tokens per second
this.keyPrefix = options.keyPrefix || 'ratelimit:';
}
async consume(identifier, tokens = 1) {
const key = `${this.keyPrefix}${identifier}`;
const now = Date.now();
const result = await this.redis.eval(`
local key = KEYS[1]
local maxTokens = tonumber(ARGV[1])
local refillRate = tonumber(ARGV[2])
local now = tonumber(ARGV[3])
local requested = tonumber(ARGV[4])
local data = redis.call('hmget', key, 'tokens', 'lastRefill')
local tokens = tonumber(data[1]) or maxTokens
local lastRefill = tonumber(data[2]) or now
-- Refill tokens
local elapsed = (now - lastRefill) / 1000
tokens = math.min(maxTokens, tokens + elapsed * refillRate)
if tokens >= requested then
tokens = tokens - requested
redis.call('hmset', key, 'tokens', tokens, 'lastRefill', now)
redis.call('expire', key, 3600)
return {1, tokens}
else
return {0, tokens}
end
`, 1, key, this.maxTokens, this.refillRate, now, tokens);
return {
allowed: result[0] === 1,
remaining: Math.floor(result[1]),
};
}
}
// Middleware
async function rateLimitMiddleware(req, res, next) {
const identifier = req.apiKeyRecord?.id || req.ip;
const { allowed, remaining } = await rateLimiter.consume(identifier);
res.set('X-RateLimit-Remaining', remaining);
res.set('X-RateLimit-Limit', rateLimiter.maxTokens);
if (!allowed) {
res.set('Retry-After', '60');
return res.status(429).json({
error: 'Too many requests',
retryAfter: 60,
});
}
next();
}
Rate Limiting Best Practices
- Return rate limit headers: Include
X-RateLimit-Limit,X-RateLimit-Remaining, andRetry-Afterheaders - Use tiered limits: Different rate limits for different API keys, endpoints, or user plans
- Rate limit by multiple dimensions: Combine IP-based, user-based, and endpoint-based limits
- Be generous with read operations: Apply stricter limits to write operations
- Provide clear error messages: Tell users when they can retry
Input Validation and Sanitization
Never trust user input. Every piece of data that enters your API should be validated, sanitized, and constrained.
Schema Validation with Zod
import { z } from 'zod';
// Define strict schemas for all inputs
const createUserSchema = z.object({
email: z.string()
.email('Invalid email format')
.max(255, 'Email too long')
.toLowerCase()
.trim(),
name: z.string()
.min(1, 'Name is required')
.max(100, 'Name too long')
.trim(),
password: z.string()
.min(12, 'Password must be at least 12 characters')
.max(128, 'Password too long')
.regex(
/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])/,
'Password must include uppercase, lowercase, number, and special character'
),
age: z.number()
.int('Age must be an integer')
.min(13, 'Must be at least 13')
.max(150, 'Invalid age')
.optional(),
role: z.enum(['user', 'editor']).default('user'),
});
// Validate in your route handler
app.post('/api/users', async (req, res) => {
const result = createUserSchema.safeParse(req.body);
if (!result.success) {
return res.status(400).json({
error: 'Validation failed',
details: result.error.issues.map(issue => ({
field: issue.path.join('.'),
message: issue.message,
})),
});
}
const validatedData = result.data;
// Proceed with validated data
});
Need to test your validation regex patterns? Use our Regex Tester tool.
SQL Injection Prevention
SQL injection remains one of the most common and dangerous vulnerabilities. Always use parameterized queries.
// NEVER do this
const query = `SELECT * FROM users WHERE email = '${email}'`;
// ALWAYS use parameterized queries
const query = 'SELECT * FROM users WHERE email = $1';
const result = await db.query(query, [email]);
// Or use an ORM
const user = await prisma.user.findUnique({
where: { email: validatedEmail },
});
XSS Prevention
Cross-site scripting (XSS) can occur when user input is reflected in API responses that are rendered in browsers.
// Sanitize output for HTML contexts
import DOMPurify from 'isomorphic-dompurify';
function sanitizeOutput(input) {
return DOMPurify.sanitize(input, {
ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'p', 'br'],
ALLOWED_ATTR: [],
});
}
// Set appropriate Content-Type headers
res.setHeader('Content-Type', 'application/json');
// Never set Content-Type to text/html for API responses
// Use Content Security Policy headers
res.setHeader(
'Content-Security-Policy',
"default-src 'none'; frame-ancestors 'none'"
);
CORS (Cross-Origin Resource Sharing)
CORS is a browser security mechanism that controls which origins can access your API. Misconfigured CORS is a common source of vulnerabilities.
CORS Configuration
import cors from 'cors';
// Production CORS configuration
const corsOptions = {
origin: (origin, callback) => {
const allowedOrigins = [
'https://app.example.com',
'https://admin.example.com',
];
// Allow requests with no origin (mobile apps, curl, etc.)
if (!origin) return callback(null, true);
if (allowedOrigins.includes(origin)) {
callback(null, true);
} else {
callback(new Error('Not allowed by CORS'));
}
},
methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH'],
allowedHeaders: ['Content-Type', 'Authorization', 'X-API-Key'],
credentials: true,
maxAge: 86400, // Cache preflight requests for 24 hours
};
app.use(cors(corsOptions));
CORS Best Practices:
- Never use
*forAccess-Control-Allow-Originwith credentials: This is a browser-enforced restriction for good reason - Be specific about allowed origins: Whitelist only the domains that need access
- Restrict allowed methods and headers: Only allow what your API actually uses
- Set a reasonable
maxAge: Reduce preflight request overhead - Validate the
Originheader server-side: Do not rely solely on browser enforcement
HTTPS and Transport Security
All API traffic should be encrypted using HTTPS. In 2026, there is no excuse for serving APIs over plain HTTP.
HSTS (HTTP Strict Transport Security)
// Force HTTPS with HSTS
app.use((req, res, next) => {
res.setHeader(
'Strict-Transport-Security',
'max-age=31536000; includeSubDomains; preload'
);
next();
});
Certificate Pinning for Mobile APIs
For mobile applications, consider certificate pinning to prevent man-in-the-middle attacks:
// iOS certificate pinning example
let serverTrustPolicy = ServerTrustPolicy.pinCertificates(
certificates: ServerTrustPolicy.certificates(),
validateCertificateChain: true,
validateHost: true
)
let serverTrustPolicies: [String: ServerTrustPolicy] = [
"api.example.com": serverTrustPolicy
]
OWASP API Security Top 10 (2023/2026)
The OWASP API Security Top 10 provides a framework for understanding the most critical API security risks. Here is a summary with practical mitigation strategies.
1. Broken Object Level Authorization (BOLA)
Attackers manipulate object IDs to access resources belonging to other users.
// Vulnerable: No authorization check
app.get('/api/orders/:id', async (req, res) => {
const order = await db.orders.findById(req.params.id);
res.json(order); // Any user can access any order!
});
// Secure: Verify ownership
app.get('/api/orders/:id', async (req, res) => {
const order = await db.orders.findById(req.params.id);
if (!order) {
return res.status(404).json({ error: 'Order not found' });
}
if (order.userId !== req.user.id && !req.user.roles.includes('admin')) {
return res.status(403).json({ error: 'Access denied' });
}
res.json(order);
});
2. Broken Authentication
Weak authentication mechanisms allow attackers to compromise accounts.
Mitigations:
- Implement multi-factor authentication (MFA)
- Use strong password policies
- Implement account lockout after failed attempts
- Use secure session management
3. Broken Object Property Level Authorization
APIs expose object properties that users should not access.
// Vulnerable: Returns all user fields
app.get('/api/users/:id', async (req, res) => {
const user = await db.users.findById(req.params.id);
res.json(user); // Exposes passwordHash, internalNotes, etc.
});
// Secure: Return only allowed fields
app.get('/api/users/:id', async (req, res) => {
const user = await db.users.findById(req.params.id);
res.json({
id: user.id,
name: user.name,
email: user.email,
avatar: user.avatar,
});
});
4. Unrestricted Resource Consumption
APIs that do not limit resource consumption are vulnerable to denial-of-service attacks.
Mitigations:
- Implement rate limiting (covered above)
- Set maximum request body sizes
- Limit pagination page sizes
- Set query timeouts
- Implement cost-based throttling for expensive operations
5. Broken Function Level Authorization
Attackers access administrative endpoints by changing the URL or HTTP method.
// Middleware to protect admin endpoints
function requireAdmin(req, res, next) {
if (!req.user.roles.includes('admin')) {
// Log the attempt for security monitoring
logger.warn('Unauthorized admin access attempt', {
userId: req.user.id,
endpoint: req.originalUrl,
ip: req.ip,
});
return res.status(403).json({ error: 'Admin access required' });
}
next();
}
app.use('/api/admin/*', requireAdmin);
6. Unrestricted Access to Sensitive Business Flows
APIs that do not rate-limit or protect sensitive business operations.
7. Server Side Request Forgery (SSRF)
APIs that fetch user-provided URLs without validation.
// Vulnerable to SSRF
app.post('/api/fetch-url', async (req, res) => {
const response = await fetch(req.body.url); // Can access internal services!
res.json(await response.json());
});
// Mitigated: Validate and restrict URLs
app.post('/api/fetch-url', async (req, res) => {
const url = new URL(req.body.url);
// Block internal networks
const blockedHosts = ['localhost', '127.0.0.1', '0.0.0.0', '169.254.169.254'];
if (blockedHosts.includes(url.hostname) || url.hostname.startsWith('10.') ||
url.hostname.startsWith('192.168.') || url.hostname.startsWith('172.')) {
return res.status(400).json({ error: 'Internal URLs not allowed' });
}
// Only allow HTTPS
if (url.protocol !== 'https:') {
return res.status(400).json({ error: 'Only HTTPS URLs allowed' });
}
const response = await fetch(url.toString(), { redirect: 'error' });
res.json(await response.json());
});
8. Security Misconfiguration
Improper security configurations expose APIs to attacks.
Common misconfigurations:
- Default credentials left in place
- Unnecessary HTTP methods enabled
- Missing security headers
- Verbose error messages in production
- Debug endpoints left enabled
9. Improper Inventory Management
Untracked or forgotten API endpoints create security blind spots.
Mitigations:
- Maintain a complete API inventory
- Use API gateway tools for visibility
- Decommission old API versions properly
- Monitor for shadow APIs
10. Unsafe Consumption of APIs
Your API blindly trusting data from third-party APIs.
// Always validate data from external APIs
const externalData = await fetch('https://partner-api.com/data');
const rawData = await externalData.json();
// Validate the external data before using it
const validatedData = externalDataSchema.parse(rawData);
Security Headers for APIs
// Comprehensive security headers middleware
function securityHeaders(req, res, next) {
// Prevent MIME type sniffing
res.setHeader('X-Content-Type-Options', 'nosniff');
// Prevent clickjacking
res.setHeader('X-Frame-Options', 'DENY');
// Enable HSTS
res.setHeader('Strict-Transport-Security',
'max-age=31536000; includeSubDomains; preload');
// Content Security Policy for API responses
res.setHeader('Content-Security-Policy',
"default-src 'none'; frame-ancestors 'none'");
// Prevent information leakage
res.removeHeader('X-Powered-By');
res.setHeader('X-Content-Type-Options', 'nosniff');
// Cache control for sensitive endpoints
if (req.path.startsWith('/api/')) {
res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate');
res.setHeader('Pragma', 'no-cache');
}
next();
}
Logging and Monitoring
Effective logging and monitoring are essential for detecting and responding to security incidents.
What to Log
- All authentication events (successes and failures)
- Authorization failures
- Rate limit violations
- Input validation failures
- Unusual patterns (excessive requests, scanning behavior)
What NOT to Log
- Passwords or credentials
- Full credit card numbers
- Personal health information
- Session tokens or API keys
// Structured security logging
const securityLogger = {
authFailure(details) {
logger.warn('AUTH_FAILURE', {
timestamp: new Date().toISOString(),
ip: details.ip,
userAgent: details.userAgent,
attemptedUser: details.email,
reason: details.reason,
// Never log the attempted password!
});
},
authorizationDenied(details) {
logger.warn('AUTHZ_DENIED', {
timestamp: new Date().toISOString(),
userId: details.userId,
resource: details.resource,
action: details.action,
ip: details.ip,
});
},
};
API Security Checklist
Use this checklist to audit your API security:
| Category | Check | Status |
|---|---|---|
| Authentication | Use strong, standard authentication (JWT, OAuth 2.0) | |
| Authentication | Implement MFA for sensitive operations | |
| Authentication | Use secure password hashing (bcrypt, argon2) | |
| Authorization | Verify object-level access on every request | |
| Authorization | Implement RBAC or ABAC | |
| Authorization | Apply principle of least privilege | |
| Input | Validate all input with schemas | |
| Input | Parameterize all database queries | |
| Input | Sanitize output to prevent XSS | |
| Transport | Use HTTPS everywhere | |
| Transport | Implement HSTS | |
| Transport | Configure TLS 1.3 | |
| Rate Limiting | Implement per-user rate limits | |
| Rate Limiting | Implement per-endpoint rate limits | |
| Rate Limiting | Return rate limit headers | |
| CORS | Restrict allowed origins | |
| CORS | Limit allowed methods and headers | |
| Headers | Set X-Content-Type-Options: nosniff | |
| Headers | Set X-Frame-Options: DENY | |
| Headers | Remove server version headers | |
| Logging | Log all auth events | |
| Logging | Never log sensitive data | |
| Logging | Monitor for suspicious patterns |
Conclusion
API security is not a one-time task -- it is an ongoing process that requires attention at every stage of development. By implementing the practices outlined in this guide, you can significantly reduce the attack surface of your APIs and protect your users and data.
Key takeaways:
- Use strong authentication: Implement JWT with asymmetric algorithms or OAuth 2.0 with PKCE
- Check authorization on every request: Never assume a user has access -- verify it
- Validate all input: Use schema validation libraries like Zod
- Rate limit everything: Protect against abuse and denial-of-service
- Configure CORS properly: Be specific about allowed origins
- Use HTTPS everywhere: There is no exception to this rule
- Know the OWASP API Top 10: Understand and mitigate each risk
- Log and monitor: Detect and respond to security incidents quickly
For validating and debugging your API data, use our free online tools: JSON Formatter for response inspection, Base64 Encoder/Decoder for token analysis, URL Encoder for query parameter debugging, and Hash Generator for verifying data integrity.
Related Resources
- Hash Functions Explained -- Understanding cryptographic hashes used in API security
- Base64 Encoding Explained -- How Base64 works in JWTs and API authentication
- URL Encoding Explained -- Understanding percent-encoding in API URLs
- JSON Formatter -- Format and validate API responses
- Password Generator -- Generate strong passwords and API keys