Proper security measures are one of the most important aspects of building an application programming interface, or API. It’s great for an API to connect systems and give developers access to the data and functions they need to create new apps and digital experiences, but only if those connections and that access are protected.
For the API provider, this requires a balance. One of the main purposes of an API is to help developers get things done—and no one wants to work with a locked-down tool whose security mechanisms get in the way of productivity. An API is worthless if developers aren’t consuming it, so ease-of-use is important.
This means API providers should generally avoid the kind of complex systems dependencies and heavy-handed governance models that typified previous generations of IT strategy—but they also need to understand today’s threats and provide strong protections that don’t get in the user’s way. Here, based on our observations working with Fortune 500 companies, are four security cautions that may help API teams strike this balance.