SlideShare a Scribd company logo

Designing JavaScript APIs

Download as pptx, pdf
Jonathan LeBlanc
Jonathan LeBlanc

This document discusses best practices for designing JavaScript APIs. It covers topics like securing APIs using OAuth 2 and CORS for authorization, following HATEOAS principles to allow for automation by providing state transitions and links to next actions, and designing APIs to be stateless by sending complete representations in requests. The goal is to build APIs that are secure, easy to use and integrate, and allow developers to automate complex workflows.

Technology
1 of 41
Downloaded 21 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
Designing JavaScript APIs Jonathan LeBlanc (@jcleblanc) Global Head of Developer Evangelism at PayPal
API? SDK?
Automation?
What JavaScript Can Feel Like
JavaScript Challenges
The Same-Origin Policy
Keeping Private Keys Private
Not Providing a Hacked Experience
How Did We Used to Do It?
Server-side Proxies
Flash / iFrame Proxies
Private Token Storage
Securing Resources
A Modern Approach OAuth 2 Tight Access Control CORS Easy Access Control
OAuth 2 User Agent Flow
Redirect the User to Log In Prepare the Redirect URI Authorization Endpoint client_id response_type (token) scope redirect_uri Browser Redirect Redirect URI
User Agent Flow: Redirect var auth_uri = auth_endpoint + "?response_type=token" + "&client_id=" + client_id + "&scope=profile" + "&redirect_uri=" + window.location; $("#auth_btn").attr("href", auth_uri);
Extract the Access Token Fetch the Hash Mod access_token refresh_token expires_in Extract Access Token
User Agent Flow: Hash Mod Extract the Access Token from the Hash http://site.com/callback#access_token=rBEGu1FQr5 4AzqE3Q&refresh_token=rEBt51FZr54HayqE3V4a& expires_in=3600 var hash = document.location.hash; var match = hash.match(/access_token=(w+)/);
Get Privileged API Resources Set Request Headers + URI Resource Endpoint Header: token type + access token Header: accept data type HTTPS Request
User Agent Flow: Get Resources Making an Authorized Request $.ajax({ url: resource_uri, beforeSend: function (xhr) { xhr.setRequestHeader('Authorization', 'OAuth ' + token); xhr.setRequestHeader('Accept', 'application/json'); }, success: function (response) { //use response object } });
CORS Easy Access Control
Cross Origin Issues and Options Access to other domains / subdomains is restricted (same origin policy) JSONP to request resources across domains Only supports HTTP GET requests Cross-origin resource sharing (CORS) Supports additional range of HTTP requests
Can you use it? http://caniuse.com/cors Support: 79.42% Partial support: 8.84% Total: 88.26%
How Does it Work? Site sends Origin header to server OPTIONS /v1/oauth2/token HTTP/1.1 Origin: http://jcleblanc.com Access-Control-Request-Method: PUT Host: api.sandbox.paypal.com Accept-Language: en-US Connection: keep-alive ...
How Does it Work? Server responds with matching Access-Control-Allow-Origin header Access-Control-Allow-Origin: http://jcleblanc.com Access-Control-Allow-Methods: GET, POST, PUT Content-Type: text/html; charset=utf-8
A Lil’ Bit O’ Automation
Uniform Interface Sub-Constraints Resource Identification Resources must be manipulated via representations Self descriptive messages Hypermedia as the engine of application state
Uniform Interface Sub-Constraints Resource Identification Resources must be manipulated via representations Self descriptive messages Hypermedia as the engine of application state
HATEOAS
How we Normally Consume APIs
Using HATEOAS to Automate
How HATEOAS Works You make an API request curl -v -X GET https://api.sandbox.paypal.com/v1/payments/authoriz ation/2DC87612EK520411B -H "Content-Type:application/json" -H "Authorization:Bearer ENxom5Fof1KqAffEsXtx1HTEK__KVdIsaCYF8C"
"links": [ { "href":"https://api.sandbox.paypal.com/v1/payments/ authorization/6H149011U8307001M", "rel":"self", "method":"GET" },{ "href":"https://api.sandbox.paypal.com/v1/payments/ authorization/6H149011U8307001M/capture", "rel":"capture", "method":"POST” },{ "href":"https://api.sandbox.paypal.com/v1/payments/ authorization/6H149011U8307001M/void", "rel":"void", "method":"POST” } ]
How do we Make it Work with JS? Open Path Library (what to do next) Hierarchy of Requests
Object Chaining
The System Should be Stateless Send complete object to only make 1 request { "id": "PAY-17S8410768582940NKEE66EQ", "create_time": "2013-01-31T04:12:02Z", "update_time": "2013-01-31T04:12:04Z", "state": "approved", "intent": "sale", "payer": {...}, "transactions": [{...}], "links": [{...}] }
Resources and Representations Manipulate a concept (e.g. payment) with the intended state
Chaining Actions The first request builds the action object Subsequent calls manipulate the object var paymentObj = getPreAuth(paymentID) .getNextAction() .processNext(); //build pay object //next HATEOAS link //process action
In Summation Security needs to allow you to work the browser security model Always assume statelessness Build to allow your developers to automate complexities
Thanks! Questions? http://slideshare.com/jcleblanc Jonathan LeBlanc (@jcleblanc) Global Head of Developer Evangelism at PayPal

More Related Content

What's hot (20)

ODP
Attacking REST API
Siddharth Bezalwar
 
PDF
The Ultimate Guide to Mobile API Security
Stormpath
 
PDF
OAuth2 and Spring Security
Orest Ivasiv
 
PPTX
Secure Your REST API (The Right Way)
Stormpath
 
PPTX
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 
PPTX
OAuth2 + API Security
Amila Paranawithana
 
PDF
OAuth - Open API Authentication
leahculver
 
PPTX
Making Sense of API Access Control
CA API Management
 
PPTX
Single-Page-Application & REST security
Igor Bossenko
 
PPTX
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
CA API Management
 
PDF
Securty Testing For RESTful Applications
Source Conference
 
PPTX
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
PDF
Spring security oauth2
axykim00
 
PPTX
REST Service Authetication with TLS & JWTs
Jon Todd
 
PPTX
Microservice with OAuth2
◄ vaquar khan ► ★✔
 
PPTX
D@W REST security
Gaurav Sharma
 
ODP
OAuth2 - Introduction
Knoldus Inc.
 
PDF
Best Practices in Web Service Design
Lorna Mitchell
 
PDF
Pentesting RESTful webservices
Mohammed A. Imran
 
PDF
JavaOne 2014 - Securing RESTful Resources with OAuth2
Rodrigo Cândido da Silva
 
Attacking REST API
Siddharth Bezalwar
 
The Ultimate Guide to Mobile API Security
Stormpath
 
OAuth2 and Spring Security
Orest Ivasiv
 
Secure Your REST API (The Right Way)
Stormpath
 
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 
OAuth2 + API Security
Amila Paranawithana
 
OAuth - Open API Authentication
leahculver
 
Making Sense of API Access Control
CA API Management
 
Single-Page-Application & REST security
Igor Bossenko
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
CA API Management
 
Securty Testing For RESTful Applications
Source Conference
 
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
Spring security oauth2
axykim00
 
REST Service Authetication with TLS & JWTs
Jon Todd
 
Microservice with OAuth2
◄ vaquar khan ► ★✔
 
D@W REST security
Gaurav Sharma
 
OAuth2 - Introduction
Knoldus Inc.
 
Best Practices in Web Service Design
Lorna Mitchell
 
Pentesting RESTful webservices
Mohammed A. Imran
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
Rodrigo Cândido da Silva
 

Similar to Designing JavaScript APIs (20)

PPTX
Secure RESTful API Automation With JavaScript
Jonathan LeBlanc
 
PPTX
RESTful API Automation with JavaScript
Jonathan LeBlanc
 
PPTX
API design principles for accelerated development
Jonathan LeBlanc
 
PPTX
(1) OAuth 2.0 Overview
anikristo
 
PPTX
OAuth2 and OpenID with Spring Boot
Geert Pante
 
PDF
Full stack security
DPC Consulting Ltd
 
PPT
Securing RESTful API
Muhammad Zbeedat
 
PDF
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
WSO2
 
PDF
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
apidays
 
PDF
OAuth 2.0 for Web and Native (Mobile) App Developers
Prabath Siriwardena
 
PPTX
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Nilanjan Roy
 
PPTX
Securing API data models
Jonathan LeBlanc
 
PDF
Securing APIs with OAuth 2.0
Kai Hofstetter
 
PDF
PayPal Access GDG DevFest
PayPal
 
PPTX
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
PPTX
Devteach 2017 OAuth and Open id connect demystified
Taswar Bhatti
 
PPTX
Introduction to OAuth2
Kumaresh Chandra Baruri
 
PDF
De la bonne utilisation de OAuth2
Leonard Moustacchis
 
PPTX
Oauth
Rob Paok
 
PDF
Implementing OAuth
leahculver
 
Secure RESTful API Automation With JavaScript
Jonathan LeBlanc
 
RESTful API Automation with JavaScript
Jonathan LeBlanc
 
API design principles for accelerated development
Jonathan LeBlanc
 
(1) OAuth 2.0 Overview
anikristo
 
OAuth2 and OpenID with Spring Boot
Geert Pante
 
Full stack security
DPC Consulting Ltd
 
Securing RESTful API
Muhammad Zbeedat
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
WSO2
 
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
apidays
 
OAuth 2.0 for Web and Native (Mobile) App Developers
Prabath Siriwardena
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Nilanjan Roy
 
Securing API data models
Jonathan LeBlanc
 
Securing APIs with OAuth 2.0
Kai Hofstetter
 
PayPal Access GDG DevFest
PayPal
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
Devteach 2017 OAuth and Open id connect demystified
Taswar Bhatti
 
Introduction to OAuth2
Kumaresh Chandra Baruri
 
De la bonne utilisation de OAuth2
Leonard Moustacchis
 
Oauth
Rob Paok
 
Implementing OAuth
leahculver
 
Ad

More from Jonathan LeBlanc (20)

PDF
JavaScript App Security: Auth and Identity on the Client
Jonathan LeBlanc
 
PDF
Improving Developer Onboarding Through Intelligent Data Insights
Jonathan LeBlanc
 
PDF
Better Data with Machine Learning and Serverless
Jonathan LeBlanc
 
PPTX
Best Practices for Application Development with Box
Jonathan LeBlanc
 
PPTX
Box Platform Overview
Jonathan LeBlanc
 
PPTX
Box Platform Developer Workshop
Jonathan LeBlanc
 
PPTX
Modern Cloud Data Security Practices
Jonathan LeBlanc
 
PPTX
Box Authentication Types
Jonathan LeBlanc
 
PPTX
Understanding Box UI Elements
Jonathan LeBlanc
 
PPTX
Understanding Box applications, tokens, and scoping
Jonathan LeBlanc
 
PPTX
The Future of Online Money: Creating Secure Payments Globally
Jonathan LeBlanc
 
PDF
Modern API Security with JSON Web Tokens
Jonathan LeBlanc
 
PPTX
Creating an In-Aisle Purchasing System from Scratch
Jonathan LeBlanc
 
PDF
Secure Payments Over Mixed Communication Media
Jonathan LeBlanc
 
PDF
Protecting the Future of Mobile Payments
Jonathan LeBlanc
 
PDF
Node.js Authentication and Data Security
Jonathan LeBlanc
 
PDF
PHP Identity and Data Security
Jonathan LeBlanc
 
PPTX
Secure Payments Over Mixed Communication Media
Jonathan LeBlanc
 
PDF
Protecting the Future of Mobile Payments
Jonathan LeBlanc
 
PPTX
Future of Identity, Data, and Wearable Security
Jonathan LeBlanc
 
JavaScript App Security: Auth and Identity on the Client
Jonathan LeBlanc
 
Improving Developer Onboarding Through Intelligent Data Insights
Jonathan LeBlanc
 
Better Data with Machine Learning and Serverless
Jonathan LeBlanc
 
Best Practices for Application Development with Box
Jonathan LeBlanc
 
Box Platform Overview
Jonathan LeBlanc
 
Box Platform Developer Workshop
Jonathan LeBlanc
 
Modern Cloud Data Security Practices
Jonathan LeBlanc
 
Box Authentication Types
Jonathan LeBlanc
 
Understanding Box UI Elements
Jonathan LeBlanc
 
Understanding Box applications, tokens, and scoping
Jonathan LeBlanc
 
The Future of Online Money: Creating Secure Payments Globally
Jonathan LeBlanc
 
Modern API Security with JSON Web Tokens
Jonathan LeBlanc
 
Creating an In-Aisle Purchasing System from Scratch
Jonathan LeBlanc
 
Secure Payments Over Mixed Communication Media
Jonathan LeBlanc
 
Protecting the Future of Mobile Payments
Jonathan LeBlanc
 
Node.js Authentication and Data Security
Jonathan LeBlanc
 
PHP Identity and Data Security
Jonathan LeBlanc
 
Secure Payments Over Mixed Communication Media
Jonathan LeBlanc
 
Protecting the Future of Mobile Payments
Jonathan LeBlanc
 
Future of Identity, Data, and Wearable Security
Jonathan LeBlanc
 
Ad

Recently uploaded (20)

PDF
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
Priyanka Aash
 
PDF
LLM Search Readiness Audit - Dentsu x SEO Square - June 2025.pdf
Nick Samuel
 
PPTX
01_Approach Cyber- DORA Incident Management.pptx
FinTech Belgium
 
PDF
EIS-Webinar-Engineering-Retail-Infrastructure-06-16-2025.pdf
Earley Information Science
 
PDF
How to Visualize the ​Spatio-Temporal Data Using CesiumJS​
SANGHEE SHIN
 
PDF
Database Benchmarking for Performance Masterclass: Session 2 - Data Modeling ...
ScyllaDB
 
PDF
Quantum AI Discoveries: Fractal Patterns Consciousness and Cyclical Universes
Saikat Basu
 
PDF
Salesforce Summer '25 Release Frenchgathering.pptx.pdf
yosra Saidani
 
PPSX
Usergroup - OutSystems Architecture.ppsx
Kurt Vandevelde
 
PDF
2025_06_18 - OpenMetadata Community Meeting.pdf
OpenMetadata
 
PDF
Plugging AI into everything: Model Context Protocol Simplified.pdf
Abati Adewale
 
PDF
Kubernetes - Architecture & Components.pdf
geethak285
 
PDF
FME as an Orchestration Tool with Principles From Data Gravity
Safe Software
 
PPTX
Simplifica la seguridad en la nube y la detección de amenazas con FortiCNAPP
Cristian Garcia G.
 
PDF
Python Conference Singapore - 19 Jun 2025
ninefyi
 
PDF
The Growing Value and Application of FME & GenAI
Safe Software
 
PPTX
Paycifi - Programmable Trust_Breakfast_PPTXT
FinTech Belgium
 
PDF
“Scaling i.MX Applications Processors’ Native Edge AI with Discrete AI Accele...
Edge AI and Vision Alliance
 
PPTX
reInforce 2025 Lightning Talk - Scott Francis.pptx
ScottFrancis51
 
PPTX
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
Priyanka Aash
 
LLM Search Readiness Audit - Dentsu x SEO Square - June 2025.pdf
Nick Samuel
 
01_Approach Cyber- DORA Incident Management.pptx
FinTech Belgium
 
EIS-Webinar-Engineering-Retail-Infrastructure-06-16-2025.pdf
Earley Information Science
 
How to Visualize the ​Spatio-Temporal Data Using CesiumJS​
SANGHEE SHIN
 
Database Benchmarking for Performance Masterclass: Session 2 - Data Modeling ...
ScyllaDB
 
Quantum AI Discoveries: Fractal Patterns Consciousness and Cyclical Universes
Saikat Basu
 
Salesforce Summer '25 Release Frenchgathering.pptx.pdf
yosra Saidani
 
Usergroup - OutSystems Architecture.ppsx
Kurt Vandevelde
 
2025_06_18 - OpenMetadata Community Meeting.pdf
OpenMetadata
 
Plugging AI into everything: Model Context Protocol Simplified.pdf
Abati Adewale
 
Kubernetes - Architecture & Components.pdf
geethak285
 
FME as an Orchestration Tool with Principles From Data Gravity
Safe Software
 
Simplifica la seguridad en la nube y la detección de amenazas con FortiCNAPP
Cristian Garcia G.
 
Python Conference Singapore - 19 Jun 2025
ninefyi
 
The Growing Value and Application of FME & GenAI
Safe Software
 
Paycifi - Programmable Trust_Breakfast_PPTXT
FinTech Belgium
 
“Scaling i.MX Applications Processors’ Native Edge AI with Discrete AI Accele...
Edge AI and Vision Alliance
 
reInforce 2025 Lightning Talk - Scott Francis.pptx
ScottFrancis51
 
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 

Designing JavaScript APIs

Editor's Notes

  • #8: Keeping private keys private
  • #24: JSONP can cause XSS issues where the external site is compromised, CORS allows websites to manually parse responses to ensure security
  • #27: Behind the server scene, the server looks up the application in their records to verify that the application matches what is on file against the application location making the request
  • #31: Hypermedia as the engine of application state
  • #36: How do you improve this structure to make it useable for automation?
  • #37: Resources must be manipulated via representations. This goes back to the stateless principles
  • #40: REST principle of using objects applied to chaining multiple objects together