All our APIs are REST (Representational State Transfer) APIs that uses HTTP to obtain data and perform operations on remote computer systems. Our APIs support TLS 1.2 authentication and HTTPS to achieve secure communication. REST is the JSON standard for consuming API payloads, and simplifies data transfer over browsers.
By leveraging both API key-based authentication and OAuth 2.0, we provide a secure and flexible environment for our API interactions, adhering to the best practices in API security.
APIs hosted within the Webex Campaign
For APIs hosted within the Webex Campaign, we use an API key-based authentication mechanism. This method ensures that each API request is accompanied by a unique key, providing secure access control and enhancing overall security. For more information, refer to Accessing APIs hosted within Webex Campaign.
APIs hosted on the API Hub
For APIs hosted on the APIHub, we have adopted the OAuth 2.0 authentication model. OAuth 2.0 is a robust, industry-standard protocol that facilitates secure authorization in a simple and standardized manner across web, mobile, and desktop applications. This model provides an additional layer of security by issuing tokens with limited access, which is especially beneficial for services with third-party integrations. For more information, refer to Accessing APIs hosted on the API Hub.
Security
Security is an essential element of any application, especially in regards to APIs, where you have hundreds or thousands of API calls made daily. We have taken appropriate security measures throughout the design process to ensure that our APIs are used properly by those whom we allow to use our APIs. We have appropriate measures in place to safeguard our APIs from common API vulnerabilities such as Cross-site scripting(XSS) and SQL injection. All our APIs pass through AWS WAF (Amazon Web Service Web Application Firewall).
We understand that Authentication is the first layer of security for our APIs, while authorization is a subsequent and very important counterpart.
Authentication means determining that the client application has an identity that is allowed to use the APIs. It ensures that the requests to our APIs are being made by a registered client. In addition, the Access Token lends itself to easily retrieving the identity of those accessing the API. Our API Access Tokens expire in every 60 minutes. It is a configurable parameter that can be configured as per the requirement. When the token does expire, the client application will be denied access when they try to again gain access to our APIs.
Authorization means determining the scope of interaction allowed by the APIs for the authenticated application—that is, what actions and data the authenticated application has access to when using the APIs.
We use Open Authorization (OAuth) - a token authorization system is the most common API security measure. Unlike basic authorization, the API client will get an access token for that user. The benefit of token-based access is that it may be deleted at any time for any reason - a security breach, misuse or even if the user decides they no longer want that service to have access to their account. Access tokens also are used to restrict permissions, letting the user decide what the application should be able to do with their information or account.
Rate-limit Throttling
We allow 100 API requests per second/per user. After the limit is reached, the API requests will no longer be processed and an exception will be thrown as "Too many requests. Throttle limit reached for the time window".
IP Whitelisting
All our APIs are publicly accessed. These APIs can be called using the public domain. If a client has any firewall restrictions, then they have to whitelist the Webex Campaign domain. We do not whitelist any IP address.