Our Blog

Latest news and updates from BinaryOps.io

Securing your API with BinaryOps

When designing software there’s always a balance between flexibility and complexity. On one hand you could design for every conceivable situation, but trying to explain it simply would be impossible. On the other hand, you could design something that’s simple to use, but would quickly fall down when applied in the real-world.

Securing your API

I feel we’ve found a middle ground with the security we’ve built for the BinaryOps APIs. We’ve implemented a system that applies simply, which should be adequate for most cases, but with a little more effort, it can also accommodate the complex situations. We’ve implemented a system of Users, Roles and Groups.

  • Roles can be linked to an Entity (aka, Collection or Table), and can have Create, Read, Update and Delete permissions.
  • A Group is, quite simply, a group of Roles. Any number of Roles can be added to a Group. The Group’s permissions are the sum of the permissions of it’s Roles.
  • A User can have any number of Groups assigned to it, and the User’s permissions are the sum of the permissions of it’s Groups.

There’s one more thing. Not every Entity needs to be queried by a named user. Sometimes data is wide-open to the public, so we’ve created the notion of an anonymous User. This is a special API user account, that can have Groups assigned to it like any other. API requests without a Bearer token in the ‘Authorization’ header will inherit the permissions assigned to the anonymous User.

I hope that gives you an understanding of how we’ve made securing your API simple, yet allowed for the flexibility to secure your API in whatever way you need.

Tags :  api  security