API access control
API access control with Airlock Secure Access Hub

The Airlock Secure Access Hub (SAH) offers a comprehensive set of API protection features. One of them is controlling access to protected APIs using API keys.

The solution involves the Airlock Gateway as policy enforcement point and Airlock IAM to manage and provide information about the clients of the protected APIs.

The solution allows managing Tech-Client (API client) identities with attributes used for access control.

Main features

  • Manage Tech-Clients (API clients), access plans, rate limits and API keys (IAM).
  • Define access policies individually per Tech-Client.
  • Access control on APIs based on API keys through Airlock Gateway.
  • Apply rate limits individually per Tech-Client and API through Airlock Gateway.
  • Reporting on API and Tech-Client level.

Limitations

API keys are often hardcoded into client applications. This makes them vulnerable to theft, especially if the client application is distributed over an app store. API keys should only be used for authentication of Tech-Clients if the API key is secured (e.g. Tech-Client is operated in a secured data center environment).

Usage scenarios

The following sample usage scenarios give an idea of how API keys may be used in API access control.

Tech-Client
Protected API
Sample usage
Fintech webserver
Bank's Account API
The webserver of a fintech company accesses a bank's API to get account information.
The API key is securely stored in the code or configuration of the fintech's webserver.
The bank can control and report access to the API.
API client developer
Map service API
An application developer uses an API key to try out an API for a limited amount of time.
The map service provider may limit the usage period of the API and impose a rate limit.
Weather app
Weather forecast API
The company providing the weather forecast wants to make sure that only paying customers are accessing the API. Rate limits may be applied depending on fees.
Table 1: API key usage examples