Upgrade to Pro — share decks privately, control downloads, hide ads and more …

apidays Helsinki & North 2025 - API access cont...

Avatar for apidays apidays
June 07, 2025
1

apidays Helsinki & North 2025 - API access control strategies beyond JWT bearer tokens, Judith Kahrer (Curity)

API access control strategies beyond JWT bearer tokens
Judith Kahrer, Identity Expert at Curity

apidays Helsinki & North 2025 - APIs for Innovation, Intelligence, and Impact
June 3 & 4, 2025

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

Avatar for apidays

apidays

June 07, 2025
Tweet

More Decks by apidays

Transcript

  1. Certificate-bound Access Tokens • Great support for mTLS • Third-party

    Assertion • Built-in Authentication • Public Key Infrastructure (PKI) • Complex Operation • Certificate Rollout
  2. Demonstrating Proof of Possession (DPoP) • Suitable for all Applications

    • Runtime Keys • End-to-End Solution • Complex Validation
  3. Access Control Strategies • Validate access tokens whenever data is

    returned. • Use sender-constrained access tokens. • Use JWTs for APIs, opaque tokens for clients. • Limit scope for internal tokens.