E-guide

The future of API

management: Key
trends for IT leaders
 E-guide

In this e-guide
In this e-guide:
What's next for APIs? 4 API As enterprises accelerate digital transformation, API management
trends for 2025 and beyond
has become increasingly complex. IT leaders must navigate an
evolving landscape where efficiency, security, and modernisation
The pros and cons of using
generative AI for API testing intersect—all while working with constrained resources.

Emerging technologies like generative AI and edge computing are

5 fundamental strategies for
REST API authentication reshaping how APIs are designed, deployed and consumed. At the
same time, the exponential threat of cyberattacks is driving
How API attacks work, plus 5 innovations in API security and observability.
common types
This e-guide explores the latest trends shaping application
Getting more CW+ exclusive management, including the challenges of API security, and the
content
transformative impact of generative AI to help organisations future-
proof their application strategies and maintain a competitive edge.

Page 1 of 33
 E-guide

In this e-guide
What's next for APIs? 4 API trends for 2025
What's next for APIs? 4 API
trends for 2025 and beyond
and beyond
Twain Taylor, Freelancer
The pros and cons of using
generative AI for API testing The API ecosystem is at an inflection point.

Emerging technologies like generative AI and edge computing are reshaping

5 fundamental strategies for
how APIs are designed, deployed and consumed. Simultaneously, the
REST API authentication
increasing complexity of distributed systems and the ever-present threat of
cyberattacks are driving innovations in API security and observability. These
How API attacks work, plus 5 forces are converging to create a new paradigm in API development and
common types
management -- one that promises greater functionality, efficiency and resilience.
Embracing digital transformation in API adoption and strategy will be crucial for
Getting more CW+ exclusive organisations aiming to stay competitive.
content
Based on a comprehensive review of various industry reports and expert
recommendations on emerging advancements in the API ecosystem, here are
four key API trends poised to shape the industry and unlock new possibilities in
software integration and data exchange over the next few years.

Page 2 of 33
 E-guide

In this e-guide
1. API security will take center stage
What's next for APIs? 4 API The adoption of distributed architectures triggered a boom in API creation. In a
trends for 2025 and beyond microservices architecture, each service typically requires an interface, leading
to a complex web of interconnected services. As APIs multiply, maintaining
The pros and cons of using centralised control of the ecosystem becomes increasingly challenging. Security
generative AI for API testing suffers and resources are strained as the limits of traditional management
approaches are tested.
5 fundamental strategies for
REST API authentication A stark example of API vulnerabilities came to light in July 2024 when Twilio's
Authy service fell victim to a significant data breach. Threat actors exploited an
How API attacks work, plus 5
unsecured API endpoint and claimed access to 33 million phone numbers
common types associated with Authy multifactor authentication users. To put this into context,
a 2024 report from API security platform Salt Security found that 95% of
respondents experienced security issues in their production APIs in the last
Getting more CW+ exclusive
content year. Research from the API platform Kong predicted that the frequency of API
attacks and security issues will increase tenfold by 2030.

So, what can combat these vulnerabilities? The emergence of new security
standards and protocols specifically tailored for APIs will likely focus on
enhancing authentication mechanisms, improving data encryption and
standardising API security best practices across industries. Specifically, the
integration of AI in API security is gaining momentum. Market research platform

Page 3 of 33
 E-guide

MarketsandMarkets reported a projected growth of the AI cybersecurity market

In this e-guide from $22.4 billion in 2023 to $60.6 billion by 2028.

What's next for APIs? 4 API Although organisations might explore AI-powered monitoring systems that can
trends for 2025 and beyond process API traffic in real time and detect potential threats, it's worth mentioning
that the effectiveness of these systems can vary with implementation and
The pros and cons of using context. Beyond AI, there's also a growing movement toward zero-trust
generative AI for API testing architectures in API security. Zero trust, as the name illustrates, assumes no
implicit trust for any entity and requires continuous authentication and
5 fundamental strategies for authorisation for every API request.
REST API authentication

How API attacks work, plus 5

2. Generative AI will reimagine API development
common types and usage
As AI-driven transformation continues to evolve and accelerate, tech giants like
Getting more CW+ exclusive
AWS, Azure and Google Cloud introduced their own AI services, enabling
content
developers to incorporate AI capabilities into applications with unprecedented
ease. This democratisation of AI is expected to fuel a new wave of intelligent
applications across industries, enhancing both functionality and automation
capabilities. For instance, developers can use AI to generate OpenAPI
specifications from natural language descriptions, streamlining the development
process and reducing the time-to-market for new APIs. Large language models
can also enhance documentation by creating clear, context-aware explanations

Page 4 of 33
 E-guide

and usage examples, making APIs more accessible and easier to implement for
In this e-guide developers of all skill levels.

What's next for APIs? 4 API And while tech leaders and analysts might predict widespread generative AI
trends for 2025 and beyond adoption in API development, the reality on the ground shows both promise and
measured integration. According to API platform Postman's "2024 State of API
The pros and cons of using Report," AI-related API traffic on Postman increased by 73% in the past year.
generative AI for API testing Fifty-four percent of the survey's respondents reported the use of ChatGPT,
followed by GitHub Copilot and Microsoft Copilot as the next most popular AI
5 fundamental strategies for options. Comparatively, 21% of respondents did not report the use of AI tools.
REST API authentication
Current implementations of AI in API development tend to focus on specific
tasks like documentation generation and test case automation. Looking ahead,
How API attacks work, plus 5
the integration of AI in API lifecycle management will likely deepen. However,
common types
organisations must weigh the benefits of accessibility and automation against
the practical challenges of implementing AI within their API workflows. These
Getting more CW+ exclusive
obstacles might include increased infrastructure demands, potential reliability
content
issues with AI-generated code, security risks and higher energy consumption.

Page 5 of 33
 E-guide

In this e-guide
3. Diversification of API standards and
architectural styles
What's next for APIs? 4 API
trends for 2025 and beyond As the API ecosystem diversifies, most large enterprises will employ a mix of
API standards and architectural styles, with GraphQL, AsyncAPI and REST
The pros and cons of using APIs coexisting to serve different use cases within the same organisation.
generative AI for API testing
A 2024 survey from GraphQL native headless CMS Hygraph found that just
5 fundamental strategies for over 61% of respondents report the use of GraphQL in production, and an
REST API authentication additional 10% of respondents report a replacement of REST with GraphQL. As
an alternative to REST APIs, GraphQL enables clients to pull data in a single,
How API attacks work, plus 5 focused query -- a particularly valuable feature in today's data-rich applications,
common types where managing information overload is a constant challenge.

AsyncAPI is emerging as the go-to specification for event-driven architectures.

Getting more CW+ exclusive
As real-time data processing and microservices become more prevalent,
content
AsyncAPI provides a standardised way to describe and document event-driven
and message-based APIs. In 2024, the AsyncAPI Initiative shared stats
showing a surge of AsyncAPI specifications downloads, increasing from 5
million in 2022 to 17 million in 2023.

Despite the rise of new technologies, REST APIs lead in usage and continue to
evolve with the introduction of new specifications and extensions. Looking
ahead, the integration of different standards and design patterns will necessitate

Page 6 of 33
 E-guide

the development of more sophisticated API management platforms capable of

In this e-guide handling diverse API formats.

What's next for APIs? 4 API

trends for 2025 and beyond 4. Serverless API architectures will see increased
adoption in edge computing
The pros and cons of using
generative AI for API testing The synergy between serverless architectures and edge computing is driving a
significant shift toward more efficient, scalable and responsive API
5 fundamental strategies for infrastructures, while also enabling greater automation of resource management
REST API authentication and scaling.

Serverless APIs can provide reduced latency, as processing occurs closer to

How API attacks work, plus 5
the end user at the edge, and cost efficiency is commonly improved through
common types
pay-per-use models. This eliminates the need for constant server maintenance
and offers automatic resource allocation based on demand.
Getting more CW+ exclusive
content However, challenges persist in managing and monitoring serverless APIs at the
edge. Ensuring consistent performance across diverse edge locations can be
demanding -- debugging becomes more complex due to the distributed nature
of edge environments, and an expanded attack surface can elevate security
concerns.

Moving forward, integrating APIs into serverless and edge computing

environments will likely drive the development of more sophisticated edge-

Page 7 of 33
 E-guide

native API management tools that will prioritise enhanced observability across
In this e-guide distributed systems. Consequently, the emergence of new standards
addressing cross-platform compatibility between major cloud providers might be
What's next for APIs? 4 API in order, along with a push for unified monitoring protocols and standardised
trends for 2025 and beyond
deployment patterns across edge locations.

The pros and cons of using

Next Article
generative AI for API testing

5 fundamental strategies for

REST API authentication

How API attacks work, plus 5

common types

Getting more CW+ exclusive

content

Page 8 of 33
 E-guide

In this e-guide The pros and cons of using generative AI for

API testing
What's next for APIs? 4 API
trends for 2025 and beyond Priyank Gupta, Partner

Generative AI shows considerable promise when it comes to the development

The pros and cons of using
of advanced API testing methodologies.
generative AI for API testing

It might take some time and experimentation to effectively implement GenAI

5 fundamental strategies for tools for sustainable, long-term adoption. In the short term, however, deploying
REST API authentication these tools in an assistive manner provides practical experience for teams to
better understand GenAI capabilities and biases -- and potentially improve
How API attacks work, plus 5 overall testing efficiency.
common types

Getting more CW+ exclusive Types of API testing

content
APIs serve as the bedrock of composability, reuse and integration for web
applications. They provide a standardised way to exchange data and extend
capabilities in a mature ecosystem. As a result, developers need to address
multiple complex dimensions for comprehensive API testing. Some of the key
areas include the following:

• Backward compatibility and API versioning.

• Data dependencies and contract adherence.

Page 9 of 33
 E-guide

• Test data management and evolution.

In this e-guide • Data generation and programming of complex scenarios.
• Environment parity and configurations.
• Lockstep testing for intertwined integrations.
What's next for APIs? 4 API
• Third-party integrations.
trends for 2025 and beyond • Performance and load testing.

The pros and cons of using Traditional testing strategies rely on statically generated data sets and response
generative AI for API testing validation. Although these methods are generally effective, conventional testing
approaches might not fully account for unexpected functions that could arise
5 fundamental strategies for from complex API interactions and responses. For example, some APIs might
REST API authentication respond with different validations for separate geographic regions. Others might
behave differently when chronology is disrupted, like events occurring out of
How API attacks work, plus 5 sequence in rapid succession. This variability warrants a closer simulation of
common types factors such as environment, users, performance and throughput to produce
more accurate results and identify unanticipated outcomes.
Getting more CW+ exclusive
content
Benefits of generative AI in API testing
With the right tools and strategies, GenAI technologies such as large language
models, ChatGPT and applications built over GPT models such as RestGPT
offer new approaches for creatively structuring tests.

Context-specific configuration, quality training data and customised testing

parameters are key to effective deployment. The following categories outline

Page 10 of 33
 E-guide

some of the emerging advantages and possible benefits of GenAI as teams look
In this e-guide to find the right blend of manual administration and automation.

What's next for APIs? 4 API Data management

trends for 2025 and beyond

The pros and cons of using

Language models can dynamically generate test data for API contracts, data
generative AI for API testing types and scenarios, widening coverage for both success and error cases. The
models are capable of preemptive and ad hoc data generation.
5 fundamental strategies for
REST API authentication Response and contract validation
How API attacks work, plus 5 Language models can validate responses, and GenAI can flexibly adapt to
common types multiple data formats such as JSON and XML, as well as standards like HTML,
REST and SOAP. GenAI can also assist with backward compatibility by
Getting more CW+ exclusive handling testing across versions.
content

Wider scenario coverage

GenAI can generate initial test scenario lists, identify gaps in coverage,
augment existing test sets, help cover edge cases and evaluate and expand the
test suite as APIs evolve with limited manual intervention.

Page 11 of 33
 E-guide

The technology is also capable of contextually generating data and responses

In this e-guide for multiple API versions, different consumer types and other complex
scenarios. These capabilities can reduce costs associated with manual
What's next for APIs? 4 API intervention, data creation and execution.
trends for 2025 and beyond

Automation
The pros and cons of using
generative AI for API testing
GenAI's data generation and validation capabilities can bring enhanced
5 fundamental strategies for
automation to API testing. It can also execute complex lockstep API
REST API authentication orchestrations in interdependent systems that require data synchronisation. In
dynamic and complex environments, GenAI can act as a source of coherent
data to reliably test a complex integration.
How API attacks work, plus 5
common types
Vulnerability spotting
Getting more CW+ exclusive
content With a comprehensive understanding of API context, application roles, users
and permissions, GenAI can help spot data leakage, privilege escalation and
other security issues by constructing well-formed requests that can identify a
lack of required controls and checks.

Page 12 of 33
 E-guide

In this e-guide Lower cost of evolution

What's next for APIs? 4 API Evolving an API contract with multiple versions and subscriber sprawl could
trends for 2025 and beyond mean testing tens of versions for backward compatibility and validating
hundreds of scenarios for errors. Each version or scenario could require data
The pros and cons of using generation and validation, making it both an expensive and protracted process.
generative AI for API testing
GenAI can augment capabilities and bring down costs associated with scenario
5 fundamental strategies for
and data generation and validation. Another possible benefit is that teams could
REST API authentication channel energy into responsibilities that add direct value to the organisation
rather than spend time executing tedious and redundant tasks.
How API attacks work, plus 5
common types
Downsides of generative AI in API testing
Getting more CW+ exclusive Although there are many perceived benefits of generative AI in the API testing
content space, it's important to understand the limitations of the technology. Some
tradeoffs might be immediately apparent. But as a new and developing
technology, there could be unrealised implications associated with GenAI
integration.

Page 13 of 33
 E-guide

In this e-guide Erosion of institutional knowledge

What's next for APIs? 4 API Teams responsible for implementing test harnesses acquire knowledge of
trends for 2025 and beyond system functionality, functional edge cases and data correlation between
different parts of the system. Over-reliance on automated tools erodes
The pros and cons of using institutional knowledge that can be otherwise difficult to build over time. In the
generative AI for API testing absence of this expertise, functional questions might require exhaustive testing
or time-consuming and inefficient code reviews.
5 fundamental strategies for
REST API authentication Variable reliability
How API attacks work, plus 5
Since generative AI responses can be inconsistent, the execution path and
common types
outcome for certain test cases can change, resulting in false positives and
negatives. Unpredictable outcomes could potentially contribute to a growing
Getting more CW+ exclusive
lack of confidence in the reliability and effectiveness of existing safety nets.
content

Specialised skills

Prompt engineering can alter behavior in GenAI tools. But when prompts create
impediments and fail to address issues, expert consultation could be necessary.
Candidates with specialised skills in prompt engineering can be difficult and
expensive to hire, train and retain.

Page 14 of 33
 E-guide

In this e-guide Resource intensive

What's next for APIs? 4 API Generative AI is resource-intensive, especially in test execution scenarios that
trends for 2025 and beyond invoke AI in real time. Revising test data and scenarios prior to execution could
offer a more balanced approach in terms of mitigating costs and resource
The pros and cons of using usage.
generative AI for API testing
Compliance issues
5 fundamental strategies for
REST API authentication
Industries governed by strong regulatory and compliance requirements, like
banking and finance, require explainability for decision-making throughout the
How API attacks work, plus 5
software development lifecycle. Questions surrounding GenAI explainability and
common types
transparency make it difficult to consider the possibility of pure generative AI
testing without manual oversight. There are also concerns about leaking
Getting more CW+ exclusive
sensitive or proprietary data inadvertently through third-party hosted models. As
content
a result, these considerations warrant a more circumspect use of generative AI
in certain domains, along with clear security policies.

Next Article

Page 15 of 33
 E-guide

In this e-guide 5 fundamental strategies for REST API

authentication
What's next for APIs? 4 API
trends for 2025 and beyond Priyank Gupta, Partner

REST APIs are the backbone of modern applications, separating data and
The pros and cons of using
presentation layers and allowing systems to scale in size and feature
generative AI for API testing
sophistication.

5 fundamental strategies for However, as data moves across boundaries, it's important to secure REST APIs
REST API authentication that contain sensitive information by implementing authentication mechanisms
that control their exposure. REST API authentication not only identifies
How API attacks work, plus 5 legitimate users or systems to grant access to an API, but it also prevents
common types unauthorised interactions.

Getting more CW+ exclusive Consider five fundamental approaches to REST API authentication, plus two
content methods growing in adoption as technology evolves and the risk landscape
changes. These include the following:

• Basic authentication.
• API keys.
• HMAC encryption.
• OAuth 2.0.
• OpenID Connect.
• Tokens (one-time passwords or magic links).
• Passkeys.

Page 16 of 33
 E-guide

Each approach presents distinct benefits but also introduces different levels of
In this e-guide complexity that organisations need to weigh when choosing a REST API
authentication strategy.
What's next for APIs? 4 API
trends for 2025 and beyond
Basic authentication
The pros and cons of using
generative AI for API testing
HTTP Basic authentication uses a Base64 format to encode usernames and
passwords stored in the HTTP header. This is a practical approach for setting
up various API access credentials while keeping the application lightweight and
5 fundamental strategies for
straightforward. However, it doesn't offer out-of-the-box support for multifactor
REST API authentication
authentication (MFA) or dynamic, user-specific credentials, which would require
additional browser-based extensions and authorisation tooling.
How API attacks work, plus 5
common types
Basic authentication enjoys widespread support across development toolchains,
technologies and platforms, thanks to its simplicity. One of the key challenges
Getting more CW+ exclusive with this authentication scheme, however, is that sensitive credentials often
content travel between systems unencrypted. Secure Sockets Layer (SSL) and
Transport Layer Security (TLS) channels are essential when sharing sensitive
data between multiple web applications -- especially third-party applications --
because threat actors can intercept traffic moving through unsecured channels
and steal credentials.

Page 17 of 33
 E-guide

In this e-guide
API keys
What's next for APIs? 4 API The API keys approach is a variation of the HTTP Basic authentication strategy
trends for 2025 and beyond meant to provide authentication for the machines consuming REST APIs. It
uses machine-generated strings to create unique pairs of identifying credentials
The pros and cons of using and API access tokens. API keys can be sent as part of the payload, HTTP
generative AI for API testing headers or query string, making them a good fit for consumer-facing web
applications.
5 fundamental strategies for
REST API authentication The benefit of API keys is that they decouple API access from the necessary
credentials and validation tokens. It's possible to revoke and reissue credentials
How API attacks work, plus 5
and tokens as needed, such as if a user's permission level changes or there is
common types reason to believe the information has been compromised.

Unfortunately, API keys are susceptible to the same risks as Basic

Getting more CW+ exclusive
authentication: Hackers could intercept and exploit the associated credentials.
content
While keys provide a unique identification mechanism for front-end user
interactions that can both apply and revoke credentials on demand, the
simplicity of this design inhibits their ability to support layered authentication or
MFA.

Page 18 of 33
 E-guide

In this e-guide
HMAC encryption
What's next for APIs? 4 API A hash-based message authentication code (HMAC) is useful when the integrity
trends for 2025 and beyond of the REST API's data payload is a priority. HMAC uses symmetric encryption -
- sometimes called single-key encryption -- to determine the hashing of a REST
The pros and cons of using API's data payload. It then generates a unique code associated with that
generative AI for API testing hashing and attaches it to relevant messages. The caller and receiver share the
key and use it to ensure the integrity of the data within the payload.
5 fundamental strategies for
REST API authentication Requiring little operational overhead regarding management or tooling, the
HMAC approach to REST API authentication is effective when an individual can
How API attacks work, plus 5
directly control both the client and server applications. However, it can become
common types challenging to store encryption keys securely when dealing with mobile and web
applications outside of an individual's control.
Getting more CW+ exclusive
For example, a mobile application that uses URL-based HMAC encryption keys
content
to facilitate data requests is a vulnerable target for attacks, especially if those
encryption keys don't contain a fixed time frame for expiration. If a threat actor
acquires that unique key, it can easily coerce the application to accept a
malicious data payload simply by embedding the stolen encryption code within
the URL.

Page 19 of 33
 E-guide

In this e-guide
OAuth 2.0
What's next for APIs? 4 API OAuth (specifically, OAuth 2.0) is considered a gold standard for REST API
trends for 2025 and beyond authentication, especially in enterprise scenarios involving sophisticated web
and mobile applications. OAuth 2.0 can support dynamic collections of users,
The pros and cons of using permission levels, scope parameters and data types. Organisations looking to
generative AI for API testing secure large numbers of REST APIs that contain sensitive information might
find this to be an optimal approach.
5 fundamental strategies for
REST API authentication OAuth 2.0 creates secure access tokens that periodically refresh through a
series of procedural verification protocols known as grant types. These grant
How API attacks work, plus 5
types act as proxy authentication mechanisms and direct the flow of API access
common types requests without exposing the underlying credentials, tokens and other
associated authentication information.
Getting more CW+ exclusive
The five major grant types in OAuth 2.0 are as follows:
content
• Authorisation Code.
• Proof Key for Code Exchange (PKCE).
• Client Credentials.
• Device Code.
• Refresh Token.

In addition to recycling access keys, OAuth supports the concept of scopes, a

method of limiting an application's access to a user's account and associated

Page 20 of 33
 E-guide

credentials. This helps control the degree to which third-party applications can
In this e-guide access a user's account data. Another advantage is the ability to define multiple
scopes and issue unique tokens for different requests and permission levels.
What's next for APIs? 4 API OAuth can perform payload integrity checks using a JSON Web Token (JWT).
trends for 2025 and beyond
JWT tokens securely store encrypted, user-specific data and then transmit that
data between applications as needed. Because an authenticating service can
The pros and cons of using sign these web tokens, it's possible to imbue the token with new user roles and
generative AI for API testing permissions once the user is authenticated. Tokens are typically invalidated
using a time-based expiry mechanism.
5 fundamental strategies for
REST API authentication Adding a shared symmetric key across application services can help all
participating services verify the token's integrity concurrently rather than through
How API attacks work, plus 5 a series of validation checks. This mitigates the risk of creating a single point of
common types failure in the validation process. However, managing the distribution of
symmetric keys required for payload integrity verification is a daunting security
Getting more CW+ exclusive challenge in dynamic, highly scalable application environments.
content

OpenID Connect
OpenID Connect is an open-standard authentication protocol built on OAuth 2.0.
It provides a simple way for a client application -- referred to as a relying party
(RP) -- to validate a user's identity. This single standard facilitates information
sharing without the need for explicit management of credentials for third-party
applications.

Page 21 of 33
 E-guide

REST APIs covered by OpenID Connect become usable once the RP

In this e-guide authenticates users. Eventually, the API associated with that RP can perform
validation using its variation of the OAuth grant types. These grant types are as
What's next for APIs? 4 API follows:
trends for 2025 and beyond
• Authorisation Code.
• Implicit.
The pros and cons of using
• Hybrid.
generative AI for API testing

While OpenID Connect always resides under the API provider's control, multiple
5 fundamental strategies for RPs can use these grant types independently. REST API providers aiming to
REST API authentication
securely share user data across various third-party web applications might find
this approach ideal, especially if they struggle with the complexities of dynamic,
How API attacks work, plus 5 enterprise-level credential management tooling.
common types

Getting more CW+ exclusive Additional REST API authentication strategies to

content consider
As online phishing, identity theft attempts and various cybersecurity threats
advance in sophistication, other authentication methods for REST APIs continue
to evolve and gradually gain traction with native device support.

Page 22 of 33
 E-guide

In this e-guide Tokens (OTP or magic link)

What's next for APIs? 4 API One-time passwords (OTPs) and magic links provide passwordless
trends for 2025 and beyond authentication for REST APIs by sending a unique, short-lived credential
through SMS, email or app notifications. However, these methods work slightly
The pros and cons of using differently.
generative AI for API testing
• OTPs. Relying on a shared secret key between a client and service
provider, algorithms like time-based one-time passwords (TOTPs) and
5 fundamental strategies for HMAC-based one-time passwords (HOTPs) generate temporary OTPs to
REST API authentication enable verification between services. OTPs work well for high-security
use cases with minimal user friction.
• Magic link. A magic link is a URL containing a time-bound code that the
How API attacks work, plus 5
server verifies when the user clicks on the link. They are particularly
common types
effective for consumer apps where seamless authentication is preferred.

Getting more CW+ exclusive A token-based approach does not require the user to remember or enter a
content password, though it does necessitate switching between apps to log in. If the
delivery mechanism fails, users can face login issues. And while tokens typically
have a lower security risk than static passwords, token interception is possible.
As a result, token security is only as good as the provider's security.

Page 23 of 33
 E-guide

In this e-guide Passkeys

What's next for APIs? 4 API Preventing the transfer of secret data or passwords over a network, passkeys
trends for 2025 and beyond are a phishing-resistant authentication mechanism that relies on the WebAuthn
standard, which is part of the FIDO2 framework. In this approach, the user
The pros and cons of using device generates a secure and unique cryptographic key pair, where the device
generative AI for API testing stores the private key and the service provider stores the public key.

5 fundamental strategies for

Passkeys involve two levels of authentication. At login, the user device performs
REST API authentication a local authentication through methods such as biometric or PIN-based
authentication. Once authenticated, the device uses the private key to sign an
automatic encryption challenge initiated by the service provider. The provider
How API attacks work, plus 5
common types then verifies the signature using the public key and grants access. For REST
API authentication, the challenge could create a token that authenticates and
authorises subsequent requests until the token expires and the process recurs.
Getting more CW+ exclusive
content
As an evolving authentication option, not all platforms support passkeys.
However, many industries, including financial services, rely on the inherent
security they can provide. Passkeys are a strong choice when security and
frictionless authentication are top priorities. Still, they require thoughtful fallback
options for recovery as the approach is device-dependent, and a private key
can be lost with a device.

Page 24 of 33
 E-guide

In this e-guide
Choosing a REST API authentication approach
What's next for APIs? 4 API Given the variety of REST API authentication approaches, carefully consider the
trends for 2025 and beyond pros and cons of each approach against an application's unique requirements
before adoption. The HTTP-focused approach of Basic authentication is great
The pros and cons of using for restricting public access to low-risk data and resources, but it still needs
generative AI for API testing some security control. API keys, meanwhile, lend themselves to scenarios
where API providers need to identify individual consumers and regulate their
5 fundamental strategies for permissions as needed.
REST API authentication
Data sensitivity is, of course, a significant part of the decision. While HMAC
How API attacks work, plus 5
provides a fair degree of data payload integrity support for relatively contained
common types operations, OAuth is a better fit for complex use cases that involve rotating
access tokens and adjustable permission levels. For those who reside in the
middle, OpenID provides a nice balance between OAuth's dynamic access
Getting more CW+ exclusive
content management and the simplicity of HMAC. Existing authentication strategies can
often be coupled with tokens or passkeys to establish identity more reliably and
securely.

No matter the approach, limiting REST API exposure to secured SSL and TLS
channels is always a good idea. Avoid transmitting sensitive credentials as
embedded parts of API data payloads, URLs or query strings, as applications
might inadvertently store copies of these credentials through automated logging
procedures. Finally, use a hardened secret management system and automate

Page 25 of 33
 E-guide

procedures such as encryption key rotations, as a manual approach might result

In this e-guide in repetitive oversights and errors.

What's next for APIs? 4 API

Next Article
trends for 2025 and beyond

The pros and cons of using

generative AI for API testing

5 fundamental strategies for

REST API authentication

How API attacks work, plus 5

common types

Getting more CW+ exclusive

content

Page 26 of 33
 E-guide

In this e-guide How API attacks work, plus 5 common types

Rob Shapland, Ethical Hacker
What's next for APIs? 4 API
trends for 2025 and beyond API attacks are on the rise, opening organisations to new security risks.

The pros and cons of using

Traditional website-based cyberattacks target the application itself, but as
generative AI for API testing companies expose a growing number of website APIs to the internet, these
connections are increasingly drawing the attention of threat actors.
5 fundamental strategies for
An API lets software communicate with other software to share data and
REST API authentication
functionality. For example, an API might let a user log in to an application with
credentials from a third-party account, such as Facebook or Google.
How API attacks work, plus 5
common types An API key authorises a connection between software programs, acting like a
password to identify the application calling the API and prove it has access
Getting more CW+ exclusive permissions.
content
API requests are similar to the access requests users send from their browsers,
meaning many attacks that work against websites can compromise APIs as
well.

Page 27 of 33
 E-guide

In this e-guide
5 types of API attacks
What's next for APIs? 4 API Malicious hackers employ a number of API attacks and API abuse techniques.
trends for 2025 and beyond These include the following.

The pros and cons of using 1. Injection attacks

generative AI for API testing

An API is vulnerable to SQL injection or cross-site scripting (XSS) if developers

5 fundamental strategies for
don't properly sanitise its query parameters to ensure the API sends and
REST API authentication
receives only appropriate data.

How API attacks work, plus 5 In injection attacks, cybercriminals insert malicious code into their queries to
common types
trick the API into granting unauthorised access to sensitive data. They can then
steal, modify, delete and replace that information as they choose.
Getting more CW+ exclusive
content

Page 28 of 33
 E-guide

In this e-guide

What's next for APIs? 4 API

trends for 2025 and beyond

The pros and cons of using

generative AI for API testing

5 fundamental strategies for

REST API authentication

How API attacks work, plus 5

common types

Getting more CW+ exclusive

content

2. Broken access control attacks

In some cases, threat actors can bypass standard access control guardrails by
interacting with target APIs directly and exploiting their security vulnerabilities.

Page 29 of 33
 E-guide

At worst, APIs with broken authentication and authorisation controls set the
In this e-guide stage for massive data breaches.

What's next for APIs? 4 API In a broken object-level authorisation attack, for example, an API might
trends for 2025 and beyond successfully authenticate a user through a userID value in the API request but
accept a different ID in the query parameter.
The pros and cons of using
generative AI for API testing
If the API does not validate that the authenticated user should have access to
the requested data -- i.e., that the userID in the request matches the userID in
the query -- then an attacker can easily access details of any other user's
5 fundamental strategies for
REST API authentication
account.

And if API rate limiting isn't in use -- restricting the number of calls one user can
How API attacks work, plus 5 make in a given time frame to reduce the attack surface -- then the threat actor
common types
could exfiltrate massive amounts of sensitive information.

Getting more CW+ exclusive In some past attacks, vulnerable API endpoints did not require any user
content authentication at all, leaving them wide open to malicious hackers.

3. Excessive data exposure

Organisations that do not manage their APIs effectively often allow too many
APIs -- for example, old or test versions -- to be exposed to the internet. In
some cases, such APIs send too much information back when they receive
requests, potentially exposing sensitive data.

Page 30 of 33
 E-guide

In this e-guide 4. DoS and DDoS attacks

What's next for APIs? 4 API If an API is not protected from denial-of-service and distributed denial-of-service
trends for 2025 and beyond attacks, bad actors can launch a brute-force attack, in which they send a huge
volume of data to the API and cause the entire website to stop responding.
The pros and cons of using
generative AI for API testing 5. Third-party attacks
5 fundamental strategies for
Attackers can also target APIs through third parties. A malicious hacker might
REST API authentication
be able to compromise a trusted partner that has a legitimate API key, for
example, and use it to access the target API.
How API attacks work, plus 5
common types

Defending against API attacks

Getting more CW+ exclusive
content Organisations should defend APIs as they protect any traditional web
application -- by following application security best practices and deploying
appropriate cybersecurity measures. Consider the following ways to mitigate
API vulnerabilities:

• Sanitise all query parameters that the API can interpret to prevent XSS,
SQL injection and other similar attacks.
• Institute strong user authentication and authorisation mechanisms to help
prevent a malicious user from accessing data through an API.

Page 31 of 33
 E-guide

• Ensure DoS and DDoS security software protects not only the main
In this e-guide website, but APIs as well.
• Keep an accurate inventory of APIs exposed to the internet, and know
which third-party organisations and users have access. Assess what type
What's next for APIs? 4 API
of and how much information the API returns to the end user, and ensure
trends for 2025 and beyond it's no more than necessary.

The pros and cons of using

Next Article
generative AI for API testing

5 fundamental strategies for

REST API authentication

How API attacks work, plus 5

common types

Getting more CW+ exclusive

content

Page 32 of 33
 E-guide

In this e-guide Getting more CW+ exclusive content

As a CW+ member, you have access to TechTarget’s entire portfolio of 120+
What's next for APIs? 4 API
websites. CW+ access directs you to members-only content that is guaranteed
trends for 2025 and beyond
to save you the time and ultimately help you to solve your toughest IT
challenges more effectively.
The pros and cons of using
generative AI for API testing

Take full advantage of your membership by visiting

5 fundamental strategies for
REST API authentication
www.computerweekly.com/eproducts
Images: stock.adobe.com

How API attacks work, plus 5 © 2025 TechTarget. No part of this publication may be transmitted or reproduced in any form or by any means without
common types written permission from the publisher.

Getting more CW+ exclusive

content

Page 33 of 33