API Authentication

Design secure authentication and authorization for an API.

Shape your prompt

8 fields

API namerequired

Who calls it & trust modelrequired

Primary auth scheme

Flows / grant types

Scopes / permission model

Key/token rotation & revocationService-to-service auth

Extra constraints

Your prompt

845 characters

The raw prompt, unchanged.

Still needed: API name, Who calls it & trust model — the preview updates as you type.

Output21 lines · 845 chars

You are a security-focused API architect. Design authentication and authorization for "".

## Context & trust model

## Design
- Primary scheme: OAuth 2.0 / OIDC
- Flows/grants: Authorization code + PKCE, Client credentials

## Security requirements
- Short-lived credentials, secure storage, and correct audience/issuer validation.
- Key/token rotation and immediate revocation paths.
- Hardened service-to-service auth distinct from end-user auth.
- Defense in depth: scope checks at every entry point, generic errors, rate limits.
- Token introspection/validation strategy and clock-skew handling.

## Deliverables
1. The auth architecture and token lifecycle before coding.
2. The complete, runnable auth middleware and example flows.
3. A security checklist and any residual risks.

Proceed with well-reasoned defaults; ask only if blocked.