Spotting API Security Trends in ProgrammableWeb's API Directory

Editor's note: Be sure to check out our research on the overall growth of Web APIs since 2005. At the time of writing, this is the most recent data we have, but check the research page to see if we have a more updated article. We will be continually updating the overall growth chart with other charts getting updated on a less frequent basis.

When ProgrammableWeb first started, API security was something that was thought of, but certainly wasn't the foremost concern that it is today. It wasn't unheard of for an API to be secured by nothing more than a username and password, known as HTTP Basic Authentication. Of course things have changed as API practitioners have come to understand both the importance of and difficulty in securing them. As ProgrammableWeb Editor in Chief David Berlind noted in his series on API Security,

APIs are rapidly becoming one of the most important infrastructural layers of the Internet while at the same time becoming a critical component of modern day attacks. They are difficult to secure and determined hackers are extremely tenacious in finding ways to exploit them.

Since the early days of ProgrammableWeb, we have tracked the various methods that API providers have used to authenticate their APIs for use in an effort to make API communications more secure. In our data model, we refer to these methods as Authentication Models because that is what they are used for; identifying users as a means of limiting or keeping track of API traffic. The table below shows the count of all the Authentication Models that we have record of in our directory.


API Key3894
HTTP Basic Auth1153
OAuth 2920
App ID256
OAuth 1232
Shared Secret143

We see that API Key is the most widely used Authentication Model with 20% of the APIs in our directory making use of it. This is no surprise as API keys have been in use since the early days of web APIs. It's important to understand that while API keys may once have been looked at as a security technology they are no longer regarded as a reliable method for securing APIs.. But they still serve an important purpose - that of identifying the developer or application that's making specific API calls (something that's important to keep track of).

This is not to pick on API keys, in fact all the Authentication Models listed above will face the same limitations if used alone to secure an API. Each of these models are important pieces of what make up an API security checklist that every provider should have.

One of the interesting stories that the Authentication Model data tells us is when, in the API economy's history, did the industry start to realize the importance of API security. The chart below shows us a trend model for Authentication Model data as it appeared in our directory over time.

Spotting API Security Trends chart

You'll notice that the numbers have been omitted and the reason is that the data is not additive. Where some APIs may only use one model, there are others that use multiple methods. For example, an API that uses OAuth 2 in combination with a JSON Web Token. What is worth noting here is that by early 2014, there was a sharp increase in the amount of Authentication Model data that was appearing in our directory.

What happened to cause this spike? It's fair to guess that education around best practices for securing APIs reached a tipping point. This may have been in no small part due to the number of high profile security breaches that happened around that time. The attacks on Buffer and Pinterest, along with the discovery of a massive API-based security vulnerability at Facebook brought this issue to the fore. If you are interested in learning more about the topic, be sure to check out our APIU series, Understanding the Realities of API Security.

Be sure to read the next Security article: Military Concerns Over Strava Only Scratch The Surface of Blind Faith in the API Economy