When an API Forgot to Lock Its Door It started like any other deployment. A young developer pushed their first public API live: a small service for fetching product listings. Everything worked perfectly in testing. Within hours, thousands of records were scraped. The culprit? A single testing key is left inside the code. No hacker army, no zero-day exploit. Just one overlooked key. By the time the team noticed, their data had been mirrored across multiple scraping forums. The logs told a painful but straightforward story: the API forgot to lock its door. And this isn’t a rare slip. In May 2025 alone, over 180 million credentials were exposed through unsecured APIs, most of which lacked even basic authentication. The modern API economy moves fast, but security oversights move faster. The real lesson here isn’t fear. It’s recognition. Every team, at some point, has shipped something too quickly. But in today’s connected world, APIs aren’t just pipes that shuffle data between systems. They’re how your business exposes trust to the world. And trust, once lost, doesn’t return easily. That’s why this guide isn’t another checklist of “best practices”. We’re walking through how APIs actually prove identity, control access, and maintain security, not just once, but continuously, every time a request hits your server. So before we add tokens, headers, and JSON payloads, let’s start simple. Let’s meet the two guards standing at every digital gate: the ones who decide who gets in, and what they can do once they’re inside. Step 1: Understanding the Two Gatekeepers Think of your API like an airport. Every passenger needs to show an ID to enter. That’s authentication. But not everyone who enters can board every plane. That’s authorization. These two guards (AuthN and AuthZ) stand side by side, yet many confuse them because they look so similar in practice. They both use tokens, both happen near the start of a request, and both decide access. But conceptually, they answer very different questions: Authentication: “Who are you?” Authorization: “What are you allowed to do?” You can think of authentication as introducing yourself: proving you are who you say you are. Authorization comes next. It determines what you’re permitted to do now that you’re trusted. For developers, it’s the difference between: Logging in with your credentials (AuthN) Trying to access /admin after login (AuthZ) One verifies your identity; the other enforces your boundaries. They often appear together in API flows, but keeping them conceptually separate helps design cleaner, more layered security systems. These are systems that don’t just open doors, but open the right doors for the right people. Different needs? Check out How to Secure an API Without Authentication. Now that we’ve met the guards, let’s step into the terminal and see where they stand: inside the request flow that determines every API interaction. Step 2: What Really Happens When an API Request Arrives Every API call takes a journey. It starts the moment your client app (maybe a mobile frontend, perhaps a partner integration) sends a request. That single HTTP call begins moving through a series of invisible checkpoints, each one inspecting, validating, and deciding what happens next. You can think of it like walking through a high-security building. At each door, someone asks a different question before letting you pass. Let’s follow one request and see where those doors stand. 1. The Client Sends the Request It begins at the source: the client app. A mobile or web client sends an HTTP request that includes a token, an API key, or OAuth credentials. These aren’t just headers. They’re proofs of identity. Maybe it’s a GET /user/profile call with a JWT attached in the header. Maybe it’s a GraphQL query. Either way, the client is saying: “Here’s who I am, and here’s what I want to do.” 2. The API Gateway: The First Door Before the request reaches your backend, it passes through the API Gateway. This is the first real gatekeeper. The gateway validates headers, checks for missing tokens, enforces throttling, and decides whether this request should proceed. It’s part traffic controller, part bouncer. It ensures fair use, logging activity, and stopping basic abuse before it reaches anything sensitive. If the API Gateway is your front desk, then your security scanner stands just ahead of it. 3. The WAF: The Silent Shield A Web Application Firewall (WAF) inspects every incoming request for malicious intent. It scans payloads for SQL injections, XSS attempts, or suspicious patterns, and blocks them outright. An attacker might weaponize a request that looks normal to a developer. The WAF’s job is to catch that before the API Gateway ever sees it. Confused between API Gateways and WAFs? Read API Gateway vs WAF. 4. The Authentication Layer: “Who Are You?” Next, the request enters the authentication layer. This is where identity is verified. Here, the system checks if the token or credential attached to the request is valid, unexpired, and actually issued by a trusted Identity Provider (IDP). That could be an OAuth server, an enterprise SSO, or a trusted directory like Active Directory or Auth0. If the signature matches and the token hasn’t expired, you’re cleared for the next gate. 5. The Authorization Logic: “What Can You Do?” Now that your identity is confirmed, the system checks your permissions. Are you an admin or a regular user? Are you allowed to access /api/v2/admin/settings? This is where authorization policies come into play. Sometimes they’re role-based, sometimes attribute-based, and sometimes enforced by external agents like the Open Policy Agent (OPA). The system doesn’t just know who you are; it now decides what you can do. 6. The Backend: The Vault Finally, the request reaches the backend. This is the vault of your data and business logic. At this point, the layers of defense have filtered and validated everything. The backend executes the logic, fetches data from the database, and returns a response, ideally to the same person who requested it. Each of these steps (WAF, API Gateway, IDP, Authorization

The post Web API Authentication and Authorization Step By Step Guide appeared first on API Security Resources.

*** This is a Security Bloggers Network syndicated blog from API Security Resources authored by Lavanya J. Read the original post at: https://appsentinels.ai/blog/web-api-authentication-and-authorization-step-by-step/