Different Types of APIs

Up until this point, we've talked about what APIs are, how they're created, and how to access them. But there's a critical question we haven't addressed: how do we secure APIs so that not just anybody can access the endpoints and take data they want willy-nilly?

This article explores the different types of APIs based on their security model and access control mechanisms, showing how organisations protect their data and control who can use their services.

The Security Challenge

When you build an API, you're essentially opening a door to your system. Without proper security measures, anyone on the internet could:

• Access sensitive data without permission
• Modify or delete information they shouldn't touch
• Overwhelm your system with excessive requests
• Exploit vulnerabilities for malicious purposes
• Steal user credentials and personal information

This is why understanding API security and implementing proper access controls is essential for any production system.

Public APIs - Open but Controlled

What Are Public APIs?

Public APIs are accessible to anyone on the internet, but they're not completely unrestricted. They implement various security measures to prevent abuse while maintaining accessibility.

Characteristics

• No Authentication Required: Basic access without login credentials
• Rate Limiting: Restrictions on how many requests can be made
• Usage Quotas: Limits on data access and functionality
• Public Documentation: Open access to API specifications
• Monitoring and Abuse Prevention: Systems to detect and block malicious activity

Security Measures in Public APIs

Rate Limiting

X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 999
X-RateLimit-Reset: 1642233600

Usage Quotas

• Daily/monthly request limits
• Data volume restrictions
• Feature access limitations
• Geographic restrictions

Abuse Prevention

• IP address monitoring
• Request pattern analysis
• Automated blocking of suspicious activity
• Human review of flagged requests

Examples of Public APIs

Weather Services

# OpenWeatherMap (requires free API key)
curl "https://api.openweathermap.org/data/2.5/weather?q=London&appid=YOUR_API_KEY"

# wttr.in (no key required, but rate limited)
curl "https://wttr.in/Sydney?format=j1"

Public Information

# IP geolocation
curl "https://ipapi.co/json"

# Public GitHub data
curl "https://api.github.com/users/octocat"

Financial Data

# Exchange rates (free tier with limits)
curl "https://api.exchangerate-api.com/v4/latest/USD"

When to Use Public APIs

Use Public APIs for:

• Non-sensitive, general information
• Educational and testing purposes
• Public data that benefits from wide access
• Building developer communities
• Demonstrating your platform's capabilities

Security Considerations:

• Implement strict rate limiting
• Monitor for abuse and unusual patterns
• Have clear terms of service
• Provide abuse reporting mechanisms
• Regular security audits and updates

Private APIs - Internal Access Only

What Are Private APIs?

Private APIs are restricted to internal use within an organisation. They're never exposed to the public internet and are protected by network-level security measures.

Characteristics

• Internal Network Only: Not accessible from the internet
• No Public Documentation: Internal specifications and guides
• Strict Access Control: Limited to authorised personnel
• High Security Standards: Enhanced protection for sensitive data
• Network Segmentation: Isolated from public-facing systems

Security Measures in Private APIs

Network-Level Security

• Firewalls: Block external access attempts
• VPN Access: Secure remote access for employees
• Network Segmentation: Separate internal and external networks
• IP Whitelisting: Only allow specific internal IP addresses

Authentication and Authorisation

# Internal API call with employee credentials
curl -H "Authorization: Bearer internal-token" \
  -H "X-Employee-ID: 12345" \
  https://internal-api.company.com/employees

Access Logging

• Comprehensive audit trails
• User activity monitoring
• Suspicious activity detection
• Compliance reporting

Examples of Private APIs

Employee Management

# HR system API
curl -H "Authorization: Bearer hr-token" \
  https://internal.company.com/api/hr/employees

# Payroll system
curl -H "Authorization: Bearer payroll-token" \
  https://internal.company.com/api/payroll/salaries

Internal Tools

# Monitoring and alerting
curl -H "Authorization: Bearer monitoring-token" \
  https://internal.company.com/api/monitoring/status

# Configuration management
curl -H "Authorization: Bearer config-token" \
  https://internal.company.com/api/config/database

When to Use Private APIs

Use Private APIs for:

• Internal business systems
• Employee-only tools and services
• Sensitive company data
• Administrative functions
• System-to-system communication

Security Considerations:

• Implement strong internal authentication
• Regular security training for employees
• Network monitoring and intrusion detection
• Access control based on job roles
• Regular security assessments

Partner APIs - Controlled External Access

What Are Partner APIs?

Partner APIs provide controlled access to trusted third-party organisations. They require formal agreements, authentication, and often have specific usage terms and restrictions.

Characteristics

• Formal Agreements: Legal contracts and usage terms
• Authentication Required: API keys or tokens for access
• Usage Monitoring: Tracking and reporting of API usage
• Limited Functionality: Access only to agreed-upon features
• Business Relationships: Strategic partnerships and integrations

Security Measures in Partner APIs

Partner Authentication

# Partner API call with dedicated credentials
curl -H "Authorization: Bearer partner-token-abc123" \
  -H "X-Partner-ID: partner-company" \
  https://api.company.com/partner/data

Usage Controls

• Rate Limiting: Partner-specific quotas
• Data Access Limits: Restricted to agreed-upon data
• Feature Restrictions: Limited functionality based on partnership level
• Usage Reporting: Regular reports on API usage

Legal and Compliance

• Formal partnership agreements
• Data sharing agreements
• Compliance with regulations
• Regular partnership reviews

Examples of Partner APIs

Financial Services

# Bank allowing payment processor access
curl -H "Authorization: Bearer payment-token" \
  -H "X-Partner: stripe" \
  https://api.bank.com/partner/accounts/verify

# Credit card processor integration
curl -H "Authorization: Bearer merchant-token" \
  https://api.payment.com/partner/transactions

E-commerce Integrations

# Shipping provider integration
curl -H "Authorization: Bearer shipping-token" \
  https://api.shipping.com/partner/rates

# Inventory management system
curl -H "Authorization: Bearer inventory-token" \
  https://api.warehouse.com/partner/stock

When to Use Partner APIs

Use Partner APIs for:

• Strategic business partnerships
• Third-party integrations
• Data sharing agreements
• Revenue-generating partnerships
• Expanding platform ecosystem

Security Considerations:

• Thorough partner vetting process
• Clear data sharing agreements
• Regular security assessments
• Monitoring for unusual activity
• Incident response procedures

Internal Service APIs - System-to-System Communication

What Are Internal Service APIs?

Internal service APIs facilitate communication between different parts of your system architecture. They're not exposed to external users but enable your applications to work together.

Characteristics

• Machine-to-Machine: Used by systems, not humans
• High Performance: Optimised for speed and reliability
• Internal Network: Not accessible from external networks
• Service Discovery: Automatic service location and communication
• Load Balancing: Distributed across multiple instances

Security Measures in Internal Service APIs

Service Authentication

# Service-to-service communication
curl -H "Authorization: Service service-name" \
  -H "X-Service-Token: internal-service-key" \
  https://user-service.internal/api/users/123

Network Security

• Service Mesh: Secure inter-service communication
• mTLS: Mutual TLS authentication between services
• Network Policies: Control which services can communicate
• Service Identity: Unique identifiers for each service

Access Control

• Service Roles: Different permissions for different services
• Resource Scoping: Services can only access their required data
• Audit Logging: Track all inter-service communication
• Rate Limiting: Prevent service overload

Examples of Internal Service APIs

Microservices Communication

# User service calling payment service
curl -H "Authorization: Service user-service" \
  https://payment-service.internal/api/charges

# Order service calling inventory service
curl -H "Authorization: Service order-service" \
  https://inventory-service.internal/api/stock/check

Data Processing Pipelines

# Analytics service calling data warehouse
curl -H "Authorization: Service analytics-service" \
  https://warehouse.internal/api/data/export

# Notification service calling user preferences
curl -H "Authorization: Service notification-service" \
  https://preferences.internal/api/users/123/settings

When to Use Internal Service APIs

Use Internal Service APIs for:

• Microservices architecture
• Data processing pipelines
• System integration
• Internal tooling
• Service orchestration

Security Considerations:

• Implement service mesh security
• Use mutual TLS authentication
• Regular service identity rotation
• Monitor inter-service communication
• Implement circuit breakers and timeouts

API Security Implementation

Authentication Methods

API Keys

# Simple API key authentication
curl -H "X-API-Key: your-api-key-here" \
  https://api.example.com/data

Bearer Tokens

# JWT token authentication
curl -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
  https://api.example.com/data

OAuth 2.0

# OAuth token with scopes
curl -H "Authorization: Bearer oauth-token" \
  -H "X-Scope: read:users write:orders" \
  https://api.example.com/users

Authorisation and Access Control

Role-Based Access Control (RBAC)

{
  "user_id": "12345",
  "roles": ["user", "moderator"],
  "permissions": [
    "read:own_profile",
    "read:public_data",
    "moderate:comments"
  ]
}

Resource-Level Security

{
  "resource": "user_profile",
  "owner_id": "12345",
  "access_level": "owner",
  "allowed_operations": ["read", "update", "delete"]
}

API Scopes and Permissions

{
  "client_id": "partner-app",
  "scopes": [
    "read:public_data",
    "write:orders",
    "read:own_orders"
  ],
  "rate_limits": {
    "requests_per_minute": 100,
    "requests_per_day": 10000
  }
}

Rate Limiting and Abuse Prevention

Request Rate Limiting

X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 999
X-RateLimit-Reset: 1642233600
Retry-After: 60

IP-Based Restrictions

• Geographic restrictions
• IP whitelisting/blacklisting
• Suspicious IP detection
• Automated blocking

User-Based Quotas

• Per-user rate limits
• Usage tracking and billing
• Fair usage policies
• Abuse detection and prevention

Security Best Practices

API Design Security

Input Validation

{
  "validation": {
    "email": "required|email|max:255",
    "password": "required|min:8|regex:/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)/",
    "age": "integer|min:13|max:120"
  }
}

Output Sanitisation

• Remove sensitive data from responses
• Sanitise error messages
• Implement proper CORS policies
• Use secure headers

Error Handling

{
  "error": {
    "code": "AUTHENTICATION_FAILED",
    "message": "Invalid credentials",
    "details": "Please check your API key"
  }
}

Monitoring and Alerting

Security Monitoring

• Real-time threat detection
• Unusual activity alerts
• Failed authentication monitoring
• Rate limit violation tracking

Audit Logging

{
  "timestamp": "2024-01-15T10:30:00Z",
  "user_id": "12345",
  "action": "api_call",
  "endpoint": "/api/users/123",
  "method": "GET",
  "ip_address": "203.0.113.1",
  "user_agent": "PartnerApp/1.0",
  "status": "success"
}

Incident Response

• Security incident procedures
• Automated threat blocking
• Human review processes
• Recovery and remediation

Choosing the Right API Type

Decision Factors

Data Sensitivity

• Public: Non-sensitive, general information
• Private: Highly sensitive, internal data
• Partner: Moderately sensitive, shared data
• Internal: System data, not user data

Access Requirements

• Public: Wide accessibility, minimal friction
• Private: Internal users only, high security
• Partner: Controlled external access
• Internal: System-to-system communication

Business Goals

• Public: Community building, platform adoption
• Private: Internal efficiency, data protection
• Partner: Strategic partnerships, revenue
• Internal: System architecture, scalability

Implementation Strategy

Start with Security

• Implement authentication from day one
• Design with security in mind
• Regular security assessments
• Stay updated with security best practices

Gradual Exposure

• Begin with private/internal APIs
• Add partner APIs as needed
• Consider public APIs for non-sensitive data
• Monitor and adjust security measures

Continuous Improvement

• Regular security reviews
• Update authentication methods
• Enhance monitoring and alerting
• Respond to new security threats

Conclusion

API security is not an afterthought - it's a fundamental requirement for any production system. By understanding the different types of APIs and their security models, you can implement appropriate protection measures that balance accessibility with security.

The key to successful API security is:

• Choose the Right Type: Match your API type to your security requirements
• Implement Strong Authentication: Use appropriate authentication methods for your use case
• Control Access: Implement proper authorisation and rate limiting
• Monitor and Respond: Continuously monitor for threats and respond to incidents
• Stay Updated: Keep up with security best practices and emerging threats

Remember that security is an ongoing process, not a one-time implementation. Regular reviews, updates, and monitoring are essential to maintaining the security of your APIs as threats evolve and your system grows.

Start with the security basics and gradually build more sophisticated protection as your needs develop. The investment in proper API security will protect your data, your users, and your organisation's reputation.

Further Reading

• Explore OAuth 2.0 and JWT authentication methods
• Study API security frameworks and best practices
• Learn about API monitoring and threat detection
• Practice implementing security measures in your APIs