We all like to assume that our APIs are secure, as it lets us go about our business using our APIs with a clear conscience. The unfortunate reality is that our APIs aren’t always as safe as we like to pretend. We can make them secure, but it needs to be set up in the right way to ensure bad actors don’t misuse your APIs.

Preventing unauthorized API access is more important than it’s ever been. According to CDNetworks’ State of Web Application & API Protection 2024 report, the cybersecurity platform detected 887.4 billion attack attempts on web applications and APIs globally in 2024, a 21.4% increase from 2023. Even more alarmingly, 78% of those attacks occurred after authentication had already happened. Clearly, merely focusing on authentication isn’t enough.

The good news is that unauthorized API access can be virtually eliminated, even if they have an access token. We’re going to share some tips and best practices to prevent unauthorized API access to help guarantee your APIs are as secure as possible.

Use Proper Authentication and Authorization

We’ll start with the basics and then delve into more complex and comprehensive ways to prevent API authorization even if someone has an API key or access token. To start, every API should have some form of authentication in place, even if it’s only intended for internal use. Not only does authentication and authorization help keep track of who’s accessing an API, it also allows API developers to determine what resources they’re able to access.

Industry standards like OAuth 2.0 and OpenID Connect create ways to dictate access without having to repeatedly transfer access tokens or input passwords. Sensitive endpoints need additional security, as well, such as multi-factor authentication (MFA).

Use Rate Limiting and Throttling

Rate limiting and throttling are more fundamental API security tactics that still play an important part in preventing unauthorized API access. Malicious actors can shut down API security by sending too many requests, either through denial-of-service attacks or through brute-force attacks. Rate limiting and throttling provide a useful stop-gap against these threats, placing a cap on how many requests a particular user can make in a specified period of time. Rate limits can be dictated by a particular user’s role or access level, as well, which reduces service outages or limitations that would prevent an API from being useful.

Validate All Inputs

Attackers often exploit endpoints and API resources by injecting dangerous inputs, like SQL commands or scripts, to manipulate the backend system. Input validation removes this risk by assessing every API call, checking types, enforcing length limits, confirming formats, and sanitizing input to remove dangerous characters or patterns. Schema validation tools like JSON schema or XML schema help to automate this process, ensuring that all API inputs and outputs will be appropriately formatted.

Encrypt API Traffic with TLS

Transport-layer encryption is important in an API ecosystem. Another important best practice for preventing unauthorized API access is to encrypt all API traffic with HTTPS and a modern Transport Layer Security (TLS). This prevents man-in-the-middle attacks, where malicious actors intercept or modify sensitive data when it’s transmitted between the client and the server. It’s important that the latest versions of HTTPS and TLS are used, as older versions can be compromised. Proper certificate management, strong ciphers, and enforcement mechanisms like HTTP Strict Transport Security (HSTS) also help make sure an API is safe against eavesdropping or meddling.

Use An API Gateway

API gateways are an important component of securing APIs at scale. An API gateway acts as a proxy between the client and the backend, making it ideal to implement authentication, rate limiting, input validation, logging, and monitoring. Tools like Kong, Apigee, AWS API Gateway, and Tyk enable fine-grained access control while providing powerful monitoring and alerting features. Putting an API gateway at the beginning of your API architecture gives you visibility and control over every request and response, allowing suspicious activity to be detected before it reaches the application layer.

Use Scoped Tokens

Adding scope to access tokens helps to prevent many of the risks of users gaining unauthorized access, even if they have credentials. Instead of providing the keys to the kingdom, scoped access tokens provide access to specific data or resources. This is in keeping with the principle of least privilege, which means to grant users the minimum access possible. An access token might specify that a user can retrieve user data but not modify it. Providing as little access as necessary helps to reduce the risks of unauthorized API access, helping to keep damage to a minimum if there’s a data breach.

Restrict Resources by IP or Location

Limiting access to resources by IP address or location is another great way to prevent unauthorized API access. Even if you have a global user base, it still gives you options on how to limit access. You might provide an allowlist of accepted IP addresses for a particular resource, for instance. You might limit access from certain geographic regions, as well. Imagine that your API has been experiencing an upsurge in cyberattacks from Turkey, for example. You might put further precautions in place when API calls come from Turkey, requiring MFA in that instance, which would still make your API useful and usable by your authorized Turkish users.

Use a Web Application Firewall (WAF)

Web application firewalls (WAFs) may be traditionally used to protect web apps, but they can benefit API protection as well. WAFs can filter out common attacks like SQL injection, cross-site scripting (XSS), or automated bots attempting credential stuffing. Even better, WAFs can be configured with custom rules that are tailored to your API’s specific behavior instead of generic patterns, making it useful for deterring unauthorized API access even if a user has an access token.

Watch Out for Misused Tokens

There are numerous ways you can prevent unauthorized or malicious users to access API resources even if they’ve got an access token. Enforcing token expiration and rotation is a common method, helping to keep damage to a minimum even if unauthorized access occurs. Even better, refresh tokens can be issued for authorized users, making your API secure without overly inconveniencing your users.

Access tokens can be connected to specific identifiers, as well, like IP address, device fingerprint, or client ID. This way, if tokens from a specific user start showing up all over the world in a suspicious manner you can put additional safeguards in place while still allowing your API to still be useful.

Finally, you can create behavioral models of individual users that can be connected to access tokens. This allows your system to detect anomalous user behavior even if they have an authorized access token.

Final Thoughts on Preventing Unauthorized API Access

An API is only as useful as it is secure. As we have seen, even putting authorization and authentication in place isn’t enough to guarantee API security. Without additional protections in place, API ecosystems can still be vulnerable to common attacks like cross-site scripting (XSS) or cross-origin resource sharing (CORS). Authentication adds an important ability to monitor and log a user’s behavior, giving you options on how to protect your API even if someone has credentials.

Rate limiting, throttling, and scoped and expiring tokens all help to reduce potential risks in case there’s a data breach. Input validation ensures that no malicious code can make its way to an API’s application layer. API gateways allow visibility and control over every aspect of an API. TLC encryption prevents malicious actors from intercepting sensitive data. WAFs prevent common attacks like SQL injection or XSS. Together, they can make a robust API security system even if a user is authenticated.

For an illustration of API access done right, you can check out the GitHub REST API. It’s a good example of scoped access tokens and robust authentication, as it requires authentication for each endpoint or resource. You can also see examples of rate limiting, input validation, and encryption. Seeing these best practices in action will give you an even better idea about how to implement this advice in your own APIs.