Ask the Experts: Understanding the API Context Maturity Model - Level 2 - Authorized API Calls

By: Mayur Upadhyaya & Jamie Beckland

Welcome back to our 'Ask the Experts: Understanding the API Context Maturity Model' series. We've made our way up from open public API calls to authenticated API calls, and now we're ready to unpack Level 2 - Authorized API Calls. As a reminder, we have distilled key comments from the hundreds of technology leaders we consulted to develop the Context Maturity Model, and we are sharing their thoughts anonymously to give you the most unfiltered view of the current state of APIs.

After establishing an authentication system at Level 1, the next challenge for organizations is to establish an authorization system. With authorization in place, API calls can be made by authenticated users with specific permissions. This reduces the risk of users accessing data or functions that they aren't supposed to, adding another layer of security and control to the API environment.

A CTO of a fintech start-up shared their experience moving to Level 2. "After incorporating authentication measures, we soon realized the need for further granularity in API access. We needed to ensure that authenticated users could only access data and functions relevant to their roles. Transitioning to authorized API calls helped us achieve that."

This level of authorization is crucial in environments where data sensitivity varies or where roles differ significantly in their access requirements. For instance, an executive at a multinational banking corporation highlighted how implementing authorization measures was a game-changer in their highly regulated industry.

They said, "In our industry, data sensitivity varies enormously, and so does role-based access requirements. With authorized API calls, we were able to ensure that our employees could access only the data and functions that were pertinent to their work. This move dramatically improved our data security posture."

However, like every step in the maturity model, Level 2 comes with its own set of challenges. The more granular the access control, the more complex the system can become. Organizations often struggle with managing a large number of roles and permissions, which can lead to misconfigurations.

In our next post, we'll delve into Level 3 - Purpose and Use Defined API Calls, where we will discuss how organizations can deal with complex role and permission challenges by defining the purpose and use of each API call.

Till then, stay tuned, and as always, feel free to reach out for more insights on API security and best practices.