<h1 id="api-security-best-practices---curity">API Security Best Practices - curity<a aria-hidden="true" class="anchor-heading icon-link" href="#api-security-best-practices---curity"></a></h1>
<p><a href="https://curity.io/resources/learn/api-security-best-practices/">https://curity.io/resources/learn/api-security-best-practices/</a></p>
<h1 id="always-use-a-gateway">Always Use a Gateway<a aria-hidden="true" class="anchor-heading icon-link" href="#always-use-a-gateway"></a></h1>
<h1 id="always-use-a-central-oauth-server">Always Use a Central OAuth Server<a aria-hidden="true" class="anchor-heading icon-link" href="#always-use-a-central-oauth-server"></a></h1>
<h1 id="only-use-json-web-tokens-internally">Only Use JSON Web Tokens Internally<a aria-hidden="true" class="anchor-heading icon-link" href="#only-use-json-web-tokens-internally"></a></h1>
<ul>
<li><a href="https://curity.io/resources/learn/phantom-token-pattern/">Phantom Token Approach</a></li>
<li><a href="https://curity.io/resources/learn/split-token-pattern/">Split Token Approach</a></li>
<li>Both involve an API Gateway in the process of translating an opaque token into a JWT.</li>
</ul>
<h1 id="use-scopes-for-coarse-grained-access-control">Use Scopes for Coarse-Grained Access Control<a aria-hidden="true" class="anchor-heading icon-link" href="#use-scopes-for-coarse-grained-access-control"></a></h1>
<h1 id="use-claims-for-fine-grained-access-control-at-the-api-level">Use Claims for Fine-Grained Access Control at the API Level<a aria-hidden="true" class="anchor-heading icon-link" href="#use-claims-for-fine-grained-access-control-at-the-api-level"></a></h1>
<h1 id="trust-no-one">Trust No One<a aria-hidden="true" class="anchor-heading icon-link" href="#trust-no-one"></a></h1>
<h1 id="create-or-reuse-libraries-for-jwt-validation">Create or Reuse Libraries for JWT Validation<a aria-hidden="true" class="anchor-heading icon-link" href="#create-or-reuse-libraries-for-jwt-validation"></a></h1>
<h1 id="do-not-mix-authentication-methods">Do Not Mix Authentication Methods<a aria-hidden="true" class="anchor-heading icon-link" href="#do-not-mix-authentication-methods"></a></h1>
<h1 id="protect-all-apis">Protect All APIs<a aria-hidden="true" class="anchor-heading icon-link" href="#protect-all-apis"></a></h1>
<h1 id="issue-jwts-for-internal-clients-inside-your-network">Issue JWTs for Internal Clients Inside Your Network<a aria-hidden="true" class="anchor-heading icon-link" href="#issue-jwts-for-internal-clients-inside-your-network"></a></h1>
<h1 id="use-json-web-key-sets-for-key-distribution">Use JSON Web Key Sets for Key Distribution<a aria-hidden="true" class="anchor-heading icon-link" href="#use-json-web-key-sets-for-key-distribution"></a></h1>
<h1 id="always-audit">Always Audit<a aria-hidden="true" class="anchor-heading icon-link" href="#always-audit"></a></h1>
<h1 id="manage-claims-centrally">Manage Claims Centrally<a aria-hidden="true" class="anchor-heading icon-link" href="#manage-claims-centrally"></a></h1>
<h1 id="abuse-doesnt-have-to-be-a-breach">Abuse Doesn't Have to Be a Breach<a aria-hidden="true" class="anchor-heading icon-link" href="#abuse-doesnt-have-to-be-a-breach"></a></h1>

Create or Reuse Libraries for JWT Validation

Issue JWTs for Internal Clients Inside Your Network

Use Claims for Fine-Grained Access Control at the API Level

Use JSON Web Key Sets for Key Distribution

Use Scopes for Coarse-Grained Access Control

API Security Best Practices - curity


Hi there 👋. I'm a Front-end developer.

---

> I've often described my motivation for building software to others using imagery: I like to go find a secluded beach, build a large, magnificent sand castle, and then walk away. Will anyone notice? Probably not. Will the waves eventually destroy it? Yep. Did I still get immense satisfaction? Absolutely.
>
> — [aliasxneo](https://news.ycombinator.com/item?id=41497113)

> “Motivation often comes after starting, not before. Action produces momentum.”
>
> — James Clear

> Focus is more about **not** keeping busy when you need to wait for something.  
> Eat the boredom for a minute.
>
> — [[life-tips#wodenokoto]]

> [4 minutes run hard enough to push heart rate to 90%, 3 minutes recover, repeat 4 times](https://news.ycombinator.com/item?id=34213181)
>
> - https://www.ntnu.edu/cerg/advice
> - [Get running with Couch to 5K](https://www.nhs.uk/live-well/exercise/running-and-aerobic-exercises/get-running-with-couch-to-5k/)

> [recommended routine - bodyweightfitness](https://www.reddit.com/r/bodyweightfitness/wiki/kb/recommended_routine/) - I Don't Have This Much Time!
>
> - Don't workout at all (saves anywhere from 20 to 60 minutes, but really, really, really, really, really, really, really, really, really not recommended)

> [Just 4 pages a day. It really adds up.](https://news.ycombinator.com/item?id=34779980)

> I think it should be everyone's primary focus to sleep well, drink water, get outside, get active, and eat generally decently. I hate to say it, but if you're not eating a good amount of vegetables and fruit, decent protein, sleep, etc, no amount of XYZ will catch up to that detriment.
>
> — [CE02](https://news.ycombinator.com/item?id=35056071)

> Before leaving for the day I leave a comment in code: I’m working on this, need to do A, B C… to get it working.
>
> — [makz](https://news.ycombinator.com/item?id=40744916)

---

## What I read in past

- [[What I read in 2024|journal.what-i-read-in]]
  - [[2023|journal.what-i-read-in.2023]]
  - [[2022|journal.what-i-read-in.2022]]
- 📝 [Gists](https://gist.github.com/Luke-SNAW)
- 📜 [Journals](https://luke-snaw.github.io/Luke-SNAW__netlify-CMS.github.io/)

---

- [[journal.what-i-struggled-brag-in]]
