API-X is designed to allow you to implement secure endpoints with simplicity and flexibility. It allows you to use one of several well tested authentication and authorization mechanisms, and provides options while abstracting the complicates details behind each approach.
API-X will ask you simple questions such as:
It will then use the answer to those questions to protect your API against malicious requests and provide access control for authorized requests.
API-X enforces SSL/TLS for all endpoints. Requests that do not come from an encrypted connection are rejected to ensure secure communication.
You must enable SSL/TLS on your server, as API-X only accepts encrypted requests. While API-X provides a developer mode to disable these checks for local development, it is critical to disable developer mode in production environments for security.
For more information on Developer Mode, see ApiXManager#developerModeEnabled.
API-X verifies each request to ensure it contains all required security fields, application verification, and access control before reaching the endpoint handler. This guarantees that only valid requests reach your endpoint, allowing you to focus solely on the business logic of your endpoints without worrying about additional validation.
Authentication identifies who is making a request to an API. API-X serves requests only from authorized applications by verifying each request's identity using an API Key provided in the X-API-Key header:
X-API-Key: <api_key>
API-X uses a data manager to verify the application by asking a simple question:
Who is this API Key?
Typically, this translates to a simple database lookup. You implement this using a concrete ApiXDataManager class that handles this verification.
For more details, see ApiXManager and ApiXDataManager#getAppKeyForApiKey.
For information on securely storing API Keys on clients, see Securely Store Keys on iOS, Android, and Web Applications.
Each request has a unique signature generated by the client, which is used by API-X to verify the request's authenticity, integrity, and uniqueness.
API-X uses this signature to ensure that:
The client signs the request using a secret key, and the server verifies it in the same way.
Only an application with the signing key can generate a valid signature. API-X verifies the request signature using application-specific information. If a third-party attempts to send a request, the signature will not match, and the request will be rejected.
The signature is created using a HMAC SHA-256 hash, which includes key request details such as:
If any part of the request changes, the signature will no longer be valid, and API-X will reject it, ensuring the request remains intact.
API-X prevents replay attacks by invalidating each request signature after a single use. If an attacker attempts to resend a captured request, it will be rejected as the signature has already been processed.
Each request is timestamped, and by default, requests older than one minute are rejected (this value is configurable). Additionally, a unique nonce is used to ensure that even if two requests are sent simultaneously, they will have different signatures.
A client, such as one built using the official Node.js API-X Client, sends a signature using HTTP headers for security:
X-Signature: <unique signature>
X-Signature-Nonce: <nonce>
Date: <UTC Date / Timestamp>
For details on how to securely store cryptographic keys on clients, see Securely Store Keys on iOS, Android, and Web Applications.
API-X provides an access control mechanism called Access Levels that you can use use to:
Access levels allow you to set permission requirements for each endpoint, as well as the scope of data that can be accessed. When defining an endpoint, you specify the required access level, and during a request, API-X evaluates if the request meets the necessary access level.
This streamlined approach integrates seamlessly with industry-standard authorization mechanisms such as JSON Web Tokens (JWTs) and OAuth 2.0, ensuring secure and flexible access control.
For more details on how to implement access control in API-X, see Implementing_Access_Control_with_Access_Levels.
API-X secures endpoints by working only with authorized applications. The application registration process depends on the type of API. For private APIs (used only by you), registration can be straightforward and often done offline. For public APIs (available for other developers), a more secure and structured registration process is required.
For more details, see Securely Registering New Applications.