# 3.6.4.API Security management

* Key/secret management
  * All API must require a minimal security of API key
    * Invalidate the key for misbehaving client
    * Generate analytics with key as the identify
    * Usage metrics
  * For API developer
    * Management of key/secrets
    * Implementation of key/secret in API
  * For App developer
    * Developer controls key/secret
      * Create -> Renew -> Delete
        * 建立key validation: [apigee](https://apigee.com/api-management/#/homepage)
* OAuth 2.0 implementation
  * You will need to connect to your enterprise identity and access management solution such as LDAP
  * Manage the storage of token
  * At high level, authorization server will take care of **tokens**, **scopes** and **clients**

    ![](https://163116165-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M4M0G7tIs4o9F9vSrao%2F-M4M0IVB0ax0vs2ocz_r%2F-M4M0YDbmjmP20ul4ksl%2F%E6%9C%AA%E5%91%BD%E5%90%8D12124.jpg?generation=1586302968461648\&alt=media)
* Functional threats
  * API testing practices; adopt tools
  * Engage third party for vulnerability assessments
  * Continuous monitoring to detect attacks/threats
  * Pro-active in protecting API from new attack types
  * Implement threat protection in the proxy
* API Infrastructure
  * 可以借助API management platform來建立public API
  * API management platform其實就是[Proxy based](https://jenhsuan.gitbooks.io/asp-net/content/chapter3rest-api-design-development-and-management/35api-management/351introduction-to-api-management.html)

    ![](https://163116165-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M4M0G7tIs4o9F9vSrao%2F-M4M0IVB0ax0vs2ocz_r%2F-M4M0YDd8d0FL-lGf0Vk%2F%E6%9C%AA%E5%91%BD%E5%90%8D21.jpg?generation=1586302968461376\&alt=media) 
* API security practices
  * Educate the API developers
  * Provide development guidelines on security
  * Stay up to date on security threats
  * Have a well defined security policy
  * Develop a contingency plan