Panel Discussion: API Security in DevSecOps. Watch the Recording

Panel Discussion: API Security in DevSecOps. Watch the Recording

Panel Discussion: API Security in DevSecOps. Watch the Recording

/

/

API Documentation

API Documentation

API Documentation
API Documentation
API Documentation

Luke Stephens

Luke Stephens

Luke Stephens

What is API Documentation?

API Documentation is a detailed explanation provided by the API creator to help users understand how to use and interact with the API effectively. It serves as the instruction manual for interacting with the API, detailing the functionalities, data structures, and protocols involved. Just as a recipe guides you through the process of making a dish, API documentation guides developers on how to interact with an API to get the desired output. This includes:

  • Endpoint Descriptions: Explanation of what each endpoint does.

  • HTTP Methods: The HTTP methods supported by each endpoint (GET, POST, PUT, DELETE, etc.).

  • Parameters: Description of parameters that can be passed and their format.

  • Request and Response Examples: Examples of request bodies, headers, and possible response bodies and headers.

  • Error Codes: Explanation of possible error codes and what they mean.

  • Authentication: Information on how to authenticate with the API.

How is API Documentation created?

Manual Creation:

Initially, API documentation may be created manually by developers as they build the API. This is often done using text editors or documentation-specific tools like Markdown editors, or platforms like Confluence or GitHub Wiki.

Automated Generation:

Tools like Akto, Swagger or Postman can automate the documentation process by scanning the API code and generating documentation based on the code and annotations within the code.

Continuous Update:

As APIs evolve, documentation needs to be updated continuously to reflect the changes. This can be a combination of automated generation and manual updates to ensure accuracy and completeness.

Characteristics of Good API Documentation:

  • Comprehensive: Covers all necessary topics in detail.

  • Up-to-Date: Is consistently updated to reflect the latest changes.

  • Easy to Navigate: Well-structured with a clear table of contents.

  • Interactive: Provides an interactive environment to test endpoints.

Let's consider a hypothetical endpoint in an API documentation that retrieves information about a book based on its ID:

API documentation example:

Endpoint Description:

  • Endpoint: /books/{bookId}

  • Method: GET

  • Description: Retrieves the details of a specific book.

  • Parameters: bookId (path, required): The ID of the book.

  • Success Response: 200 OK: Success.

    Body:

{
  "id": "12345",
  "title": "To Kill a Mockingbird",
  "author": "Harper Lee",
  "publishedYear": 1960
}
  • Error Response: 404 Not Found

{
  "error": "Book not found"
}

This example highlights key features:

  • A clear endpoint description such as GET /books which signifies a GET request to the /books endpoint.

  • Parameters are detailed, for instance, author (optional, string, query) indicating the parameter's optionality, type, and location.

  • Response status codes and examples are provided like 200 OK: { "id": 1, "title": "Example Book" }, showcasing the expected response structure.

Bad API Documentation Example:

Endpoint Description:

  • Endpoint: /getBook

  • Description: Get a book's details.

  • Parameters: id (required)

  • Response: JSON object with book info.

This example showcases several issues that could be improved:

  • The endpoint path deviates from RESTful conventions, which could be rectified by adhering to standard RESTful endpoint naming conventions.

  • The HTTP method is omitted, creating ambiguity on how to interact with the endpoint; specifying the HTTP method (e.g., GET, POST, etc.) would resolve this.

  • Parameters lack essential details such as type and location; providing this information as id (required, integer, path) would be more informative.

  • The response description is vague with no examples or structure provided; supplying a well-structured response example like 200 OK: { "id": 1, "title": "Example Book" } would clarify what to expect.

  • There's no mention of possible status codes or error responses; including a list of possible status codes and corresponding error messages would help users understand how to handle different scenarios.

Best Practices in API Documentation

  • Consistency: This includes consistent naming conventions, formatting, and organization. For example, always use GET, POST, PUT, DELETE to denote HTTP methods consistently.

  • Clarity: Ensuring that explanations are clear, concise, and easy to understand is crucial. Avoid jargon and complex language; instead, aim for simplicity and straightforwardness. Providing examples and visuals can also enhance clarity. For instance, provide sample requests and responses like:

GET /books/1
{
  "id": "1",
  "title": "To Kill a Mockingbird",
  "author": "Harper Lee"
}
  • Continuous Update: As your API evolves, so should your documentation. Regularly update the documentation to reflect any changes in the API, including new endpoints, parameters, or error messages. For example, if a new field publisher is added to the Book object, ensure it's documented:

{
  "publisher": "Penguin Books"
}

Challenges in API Documentation

Here are some of the challenges you may encounter:

  • Keeping Up with Changes: APIs are often in a state of continuous development, and keeping the documentation updated with these changes can be a daunting task.

  • Ensuring Accuracy: Documentation is only as valuable as its accuracy. Ensuring that the documentation accurately represents the API's functionality, including all available endpoints, request/response formats, and error codes, is crucial. This requires a systematic approach to documentation, often involving collaboration between developers and technical writers.

  • Balancing Detail and Brevity: It's a fine line between providing enough detail for clear understanding and overwhelming readers with too much information. For example, provide a summary along with detailed information:

### Update a Book
Update the details of a book with a given ID.

**Endpoint**: `PUT /books/{id}`
**Parameters**:
- `id` (path, required): The ID of the book to update.
- `title` (body, optional): The new title of the book.
- `author` (body, optional): The new author of the book

API Documentation's Role in API Security

Well-maintained documentation provides the necessary guidelines and protocols for safe interactions with the API, thereby reducing the risk of security breaches:

  • Security Protocols: This includes encryption standards, authentication mechanisms, and other security policies. For instance, explaining how to securely connect to your API using HTTPS:

Ensure all connections to the API are made via HTTPS to ensure data encryption in transit
  • Authentication and Authorization: Detailed documentation on how to authenticate and authorize users is paramount. This should include explanations on how to obtain, refresh and use authentication tokens, and what permissions are required for different operations. For example:

To access protected endpoints, obtain an OAuth 2.0 token by following the authentication flow outlined in the Authentication section. Include this token in the Authorization header with the Bearer schema in your HTTP requests
  • Error Handling: Document how your API handles errors, especially security-related errors like authentication failure. Provide examples of error responses, so users know what to expect and how to react. For instance:

{
  "error": "invalid_token",
  "error_description": "The access token provided is expired, revoked, malformed, or invalid."
}
  • Rate Limiting: Clearly document any rate limits to prevent abuse and ensure fair usage of your API. Include information on how rate limiting is communicated to clients, and what steps should be taken when rate limits are approached or exceeded. For example:

Our API enforces rate limiting to ensure a fair usage policy. If you exceed your rate limit, you will receive a 429 Too Many Requests response. Refer to the headers `X-RateLimit-Limit` and `X-RateLimit-Remaining` to monitor your usage
  • Input Validation: Explain how input validation is handled and what kind of input is expected. Documenting acceptable input, and how the API responds to unexpected or malicious input, is crucial for preventing injection attacks. For example:

Ensure your input conforms to the expected formats as outlined in the Parameters section to prevent input validation errors
  • Endpoint Security: Document any specific security considerations for individual endpoints. For example, if certain endpoints require special permissions or have higher security requirements, this should be clearly documented.

The `/admin` endpoint requires an admin-level access token and is protected against Cross-Site Request Forgery (CSRF) attacks
  • Security Contact: Provide a contact point for security concerns. If users find potential security issues, they should have a clear pathway for reporting these issues. For example:

If you encounter any security-related issues, please contact our security team at security@example.com

On this page

Title

Protect your APIs from attacks now

Protect your APIs from attacks now

Protect your APIs from attacks now

Explore more from Akto

Blog

Be updated about everything related to API Security, new API vulnerabilities, industry news and product updates.

Events

Browse and register for upcoming sessions or catch up on what you missed with exclusive recordings

CVE Database

Find out everything about latest API CVE in popular products

Test Library

Discover and find tests from Akto's 100+ API Security test library. Choose your template or add a new template to start your API Security testing.

Documentation

Check out Akto's product documentation for all information related to features and how to use them.