The information in this page is for guidance only. It is not a complete list of all security measures you should take, and should not be taken as definitive advice.
A critical aspect of protecting your digital infrastructure is ensuring secure API usage. The best practices discussed here focus on:
- API authentication, to prevent unauthorized access.
- API rate limiting and throttling, to prevent misuse and ensure equitable access.
Requirements
Before you begin, check if the information on this page applies to you.
| Requirement | Description |
|---|---|
| Integration type | The information on this page is relevant for all Adyen integrations. |
API authentication
APIs enable applications to exchange data and services. But such an exchange can only happen after authentication: the client application trying to access another application must prove that it is a legitimate user of the API.
API authentication acts as a gatekeeper that grants access to authentic users and keeps cybercriminals out.
To implement authentication for your own APIs, consider the following.
-
API keys: you let client applications authenticate their API requests by specifying an API key in the request header. You must make sure that API keys are protected, rotated, and not exposed in client-side code.
-
OAuth 2.0: this is a protocol for token-based authentication. Third-party applications get access to a user's resources without exposing the user's password, API key, or other credential.
-
Multifactor authentication (MFA): you can encourage or require MFA to access your application, especially if the application handles sensitive data.
The same principles are used for the authentication of your requests to Adyen APIs.
-
API credentials: you create an API key or a basic authentication username and password in your Customer Area, and then specify this in the relevant HTTP request header.
-
OAuth for partners: a partner is an organization that builds integrations, such as plugins, that enable merchants to accept payments with Adyen. If you are a partner, you can implement OAuth to request access to specific account resources of your customer (the merchant). When your customer authorizes your access request, you get a token that you can use to authorize API requests on their behalf.
Rate limiting and throttling
Rate limiting and throttling are ways to control the flow of traffic, in this case API calls. These techniques are crucial for protecting APIs from malicious use, such as Denial of Service (DoS) attacks, brute-force attacks, and scraping.
Consider implementing the following.
-
Distributed rate limiting: limit the number of API requests per time period, and synchronize keeping track of the number of request per user between the various parts of your entire system. Use shared counters across API gateways.
-
Dynamic throttling: control the rate of API requests based on real-time traffic and user behavior. For example, for a trusted user you slow down the rate of requests less than when you are dealing with a new or suspicious user.
-
Encryption of communications: transmit data over HTTPS to encrypt the data during transit to protect it from eavesdropping and tampering. Also ensure you use the correct Transport Layer Security (TLS) configuration.
-
Regular audits and tests: carry out systematic security audits and penetration tests to discover weaknesses that could lead to vulnerabilities, and actual vulnerabilities. If any issues are found, address them immediately.