Advanced 6 topic areas 26+ exercises

API Security Engineer

API Security Engineers specialise in identifying, communicating, and remediating security vulnerabilities in API surfaces. Their work spans from threat modelling API endpoints and writing security findings reports to explaining OAuth 2.0 grant type choices to developers and presenting API security posture to compliance teams. This path covers the authoritative vocabulary needed to discuss API authentication, authorisation, and attack surface management in technical and cross-functional settings.

Start first exercise → Browse all exercises

Topics covered

OWASP API Top 10
JWT & token security
OAuth 2.0 & PKCE
Rate limiting algorithms
mTLS vs API keys
API threat modelling

Vocabulary spotlight

4 terms every API Security Engineer should know in English:

BOLA n.

Broken Object Level Authorisation — the top OWASP API vulnerability, where an API endpoint fails to verify that the requesting user is authorised to access a specific resource object

"The BOLA finding showed that any authenticated user could access any invoice by simply changing the ID in the URL parameter."

JWT alg:none attack n.

A JWT vulnerability where an attacker modifies the token header to set the algorithm to "none", causing servers that accept unsigned tokens to bypass signature verification entirely

"The penetration test confirmed the alg:none attack was possible — the server was trusting the algorithm specified in the token header rather than enforcing it server-side."

token bucket n.

A rate limiting algorithm where tokens accumulate in a bucket at a fixed rate up to a maximum capacity; each request consumes one token, allowing burst traffic up to the bucket's capacity

"We use a token bucket at the API gateway with a refill rate of 100 req/s and a burst capacity of 500 — legitimate clients can absorb traffic spikes."

mTLS n.

Mutual Transport Layer Security — a TLS configuration where both client and server present cryptographic certificates for bidirectional authentication; each party verifies the other's identity

"For service-to-service API calls within the cluster, we require mTLS — no service can call the payment API without presenting a valid SPIFFE certificate."

Open full glossary →

📚 Vocabulary Reference

Key terms organised by category for API Security Engineers:

OWASP API Top 10

BOLABFLAbroken authenticationunrestricted resource consumptionserver-side request forgerysecurity misconfigurationimproper inventory managementmass assignmentunsafe consumption of APIs

JWT & Token Security

JWTalg:none attackalgorithm confusiontoken expirytoken rotationrefresh tokenclaims validationJWK endpointkey ID (kid)token scope

OAuth 2.0 & Auth

Authorization Code flowPKCEImplicit flow (deprecated)Client Credentialsaccess tokenrefresh tokenscopeaudience claimtoken introspectiondynamic client registration

API Protection Controls

rate limitingtoken bucketsliding windowAPI gatewaymTLSAPI keyinput validationschema validationIP allowlistWAFcertificate pinning

Study full vocabulary modules →

Recommended exercises

API Security Engineer Interview Questions 5 exercises

Interview

Incident Response — Listening 3 exercises

Listening

Writing Incident Communications 3 exercises

Writing

Passive Voice in Technical Writing 5 exercises

Grammar

Email: Cross-Team Coordination 5 exercises