API Security
Security is a critical aspect in the design and implementation of APIs, ensuring that only authorized users have access to resources and that information is transmitted and stored securely. Below are some of the standards and practices used by Celcoin to ensure the security of its APIs:
Authentication and Authorization with OAuth 2.0
OAuth 2.0 is a widely adopted authorization protocol that allows third-party applications to access server resources on behalf of a user. It provides limited, specific access tokens instead of full credentials, minimizing risk in case of exposure. OAuth 2.0 supports different flows (grant types) for different use cases, such as direct user authentication or authorization of background applications.
Identity with OpenID Connect
OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0, enabling user authentication and obtaining basic user profile information securely. OIDC adds an id_token to OAuth, which is a JWT (JSON Web Token) that contains information about user authentication, making it easier to integrate single sign-on (SSO) systems into your applications.
Transportation Security with mTLS
Mutual TLS (mTLS) is an extension of TLS (Transport Layer Security) that requires authentication from both the client and server, establishing a secure communication channel. mTLS ensures that both the client and server can validate each other's identities, providing an additional layer of security that is particularly useful in enterprise environments and in service-to-service communications.
Access Control by IP Source Identification
Limiting API access based on the requester's IP address is a simple yet effective way to strengthen security. By only allowing requests from a pre-approved list of IP addresses, you can significantly reduce the risk of unauthorized access by ensuring that only trusted clients can consume your API.
Ensuring Idempotence
To avoid unwanted side effects in repeated operations, such as duplication of transactions, it is crucial to implement idempotency mechanisms in your API. Using idempotency keys, the API can treat multiple identical requests as a single operation, ensuring consistency and reliability in request processing.
Request rate control
Rate limiting is an essential security practice to prevent abuse and ensure a fair distribution of API resources among all users. By limiting the number of requests a user can make in a given period of time, rate control helps protect your API from denial-of-service (DDoS) attacks, resource overuse, and other forms of abuse.