Definition

What is API Security?

A set of practices and controls designed to protect application programming interfaces (APIs) from unauthorized access, misuse, and attacks. APIs directly expose business logic and data, making them high-value targets; common vulnerabilities include broken object-level authorization, mass assignment, and excessive data exposure. Automated penetration testing tools increasingly focus on API-specific attack patterns as API-first architectures become the norm.

A vulnerability that occurs when an application exposes an internal implementation object — such as a database record ID, filename, or account number — without verifying that the requesting user is authorized to access it.

Broken Authentication →

A class of vulnerabilities that allows attackers to compromise passwords, keys, or session tokens, or exploit implementation flaws to assume other users' identities.

Server-Side Request Forgery (SSRF) →

A vulnerability that allows an attacker to induce a server to make HTTP requests to arbitrary internal or external destinations on their behalf, bypassing network segmentation and firewall controls.

JSON Web Token (JWT) →

A compact, self-contained token format used to transmit claims between parties as a digitally signed JSON object, widely used for API authentication and single sign-on flows.

OWASP Top 10 →

A regularly updated consensus list of the ten most critical security risks to web applications, published by the Open Web Application Security Project (OWASP).

Put this into practice

API security testing automation →

See how Penetrify's autonomous AI agents find and validate this class of security issue in your application.

What is API Security?

Related terms