API access control with Airlock Secure Access Hub

The Airlock Secure Access Hub (SAH) offers a comprehensive set of API protection features. One of them is controlling access to protected APIs using API keys.

The solution involves the Airlock Gateway as policy enforcement point and Airlock IAM to manage and provide information about the clients of the protected APIs.

The solution allows managing Tech-Client (API client) identities with attributes used for access control.

Main features

  • Manage Tech-Clients (API clients), access plans, rate limits and API keys (IAM).
  • Define access policies individually per Tech-Client.
  • Access control on APIs based on API keys through Airlock Gateway.
  • Apply rate limits individually per Tech-Client and API through Airlock Gateway.
  • Reporting on API and Tech-Client level.

Limitations

API keys are often hardcoded into client applications. This makes them vulnerable to theft, especially if the client application is distributed over an app store. API keys should only be used for authentication of Tech-Clients if the API key is secured (e.g. Tech-Client is operated in a secured data center environment).

Usage scenarios

The following sample usage scenarios give an idea of how API keys may be used in API access control.

Table: API key usage examples

Tech-Client

Protected API

Sample usage

Fintech webserver

Bank's Account API

The webserver of a fintech company accesses a bank's API to get account information.

The API key is securely stored in the code or configuration of the fintech's webserver.

The bank can control and report access to the API.

API client developer

Map service API

An application developer uses an API key to try out an API for a limited amount of time.

The map service provider may limit the usage period of the API and impose a rate limit.

Weather app

Weather forecast API

The company providing the weather forecast wants to make sure that only paying customers are accessing the API. Rate limits may be applied depending on fees.