An API is about sharing data safely, which means controlling who gets to see what and when they get to see it. We have three levels of security built into our API framework

No security at all
Sometimes, like this blog for example, you might want everyone to access your data without any need to log in. (Yes, this blog is hosted in our API framework.) In that case, you might not need any security at all, and it's okay to not have security as long as you know why you chose not to have people, or a service, authenticate.

Role Based Access Control (RBAC)
Most often we assign roles to people and services. There might be a role like everyone which could include everyone who has an account. But then you might need a role like editor to limit who can add, change or remove things.

We group API endpoints by Method (aka verb) and path, so in this blog for example we have /v1/blogs but we have different roles for looking at the blogs and creating them:

GET /v1/blogs
Return a list of the blogs
No authentication required

POST /v1/blogs
Create a new blog
Requires a token with the editor role

Usually there is an admin role who gets to dish out the advanced roles like editor, in Enterprise systems there are often approval systems that create checks and balances on how those roles get granted, but it doesn't have to be complicated, it just has to work for your business process and be secure.

Attribute-Based Access Control (ABAC)
There is one more level of security that we include with our API framework, and that's Attribute-Based Access Control which can assign ownership to a specific object or collection based on a variable in the path.

For example, all the blogs in the /v1/blogs collection have a unique identifier (a UUID), and if we wanted to grant ownership of specific blogs we might include a list of those IDs in our authentication.

PUT /v1/blogs/1eecea64-b936-460c-be4f-fec4d4861ed5
Replace the contents of this single object
Requires the editor role and the blogId 1eecea64-b936-460c-be4f-fec4d4861ed5 in claims

Now as the editor creates new blog posts, we can automate a list of which ones they get to edit. That is, just because I can edit and delete my own blogs, doesn't mean I should be able edit and delete your blogs, even if they are in the same collection.

Security doesn't have to be hard
People developing applications often leave security to the end, or to another team, or, unfortunately, never get it quite right. We've built a platform that should make it easy to describe your API, create rules and roles, and know that your data is both available to who needs it, and locked up tight from who shouldn't be touching it.