api-security

# API Security

Comprehensive guide to securing APIs - authentication, authorization, and protection against common vulnerabilities.

## When to Use This Skill

- Implementing API authentication (OAuth, OIDC, JWT)
- Designing authorization models for APIs
- Securing API endpoints
- Understanding API security vulnerabilities
- Implementing rate limiting and abuse prevention
- API key management

## Authentication Patterns

### OAuth 2.0 Flows

```text
OAuth 2.0 Grant Types:

1. Authorization Code (with PKCE)
   └── Best for: Web apps, mobile apps, SPAs
   └── Most secure for user authentication

   User ──► Auth Server ──► Authorization Code ──► Token

2. Client Credentials
   └── Best for: Service-to-service (M2M)
   └── No user context, server-to-server

   Service ──► Auth Server ──► Access Token

3. Device Authorization (Device Flow)
   └── Best for: Smart TVs, IoT, limited input devices
   └── User authorizes on separate device

   Device ──► Show Code ──► User enters on phone ──► Token

Deprecated (avoid):
- Implicit flow (security issues)
- Resource Owner Password Credentials (anti-pattern)
```

### Authorization Code Flow with PKCE

```text
┌──────────┐                              ┌───────────────┐
│  Client  │                              │  Auth Server  │
└────┬─────┘                              └───────┬───────┘
     │                                            │
     │  1. Generate code_verifier (random)        │
     │  2. Compute code_challenge = SHA256(verifier)
     │                                            │
     │──3. Authorization Request ───────────────►│
     │     (client_id, redirect_uri,             │
     │      code_challenge, challenge_method)     │
     │                                            │
     │◄──4. Authorization Code ──────────────────│
     │     (after user authentication/consent)    │
     │                                            │
     │──5. Token Request ───────────────────────►│
     │     (code, code_verifier)