Securing REST APIs/service APIs

This tutorial shows different ways how to protect REST APIs using the Airlock Secure Access Hub. It is especially thought for protecting APIs used by mobile apps.

Further information about the REST API (especially Authentication API) can be found here: REST APIs provided by IAM.

It covers the following cases:

  • using the Authentication REST API (Loginapp) with Cookie Session Tracking
  • using the Authentication REST API (Loginapp) with Bearer Token Session Tracking
  • using JWT bearer tokens
  • using the Device Token authentication step
  • Persistent REST Authentication using OAuth 2 PKCE ("Pixy")

The tutorial assumes the following scenario including usage of the "one-shot" authentication flow (see also HTTP request authentication (Airlock One-Shot flow)):