API Security in Action

A web API is an efficient way to communicate with an application or service. However, this convenience opens your systems to new security risks. API Security in Action gives you the skills to build strong, safe APIs you can confidently expose to the world. Inside, you’ll learn to construct secure and scalable REST APIs, deliver machine-to-machine interaction in a microservices architecture, and provide protection in resource-constrained IoT (Internet of Things) environments.

Buy now at manning.com.


“A comprehensive guide to designing and implementing secure services. A must-read book for all API practitioners who manage security.” — Gilberto Taccari, Penta

“Anyone who wants an in-depth understanding of API security should read this.”—Bobby Lin, DBS Bank

“The best comprehensive guide about API security I have read”— Marc Roulleau, GIRO

“Every now and again you read a book by someone who completely understands the domain and knows how to explain it well. For me this is one of those books, I wish he wrote all the tech books I have ever read. I knew little about the topic and I followed along I prepared questions and page by page he answered them all. Thank you for this book.”— Damien C. (reviewer on manning.com)


A selection of recent talks by Illuminated Security’s resident expert.

OAuth2 Scope Design for Security

In this talk, you’ll learn best practices for securing access to resources using OAuth 2 scopes and when other technologies may be a better fit. OAuth 2 is very widely used for securing access to APIs. Access to resources is restricted based on the concept of “scope”. But what is a scope? How does it differ from permissions or roles? Find the answers here.

The impact of Spectre on modern web development

The Meltdown and Spectre attacks in 2018 (https://meltdownattack.com) sent shockwaves through the computing industry as they exploited vulnerabilities in the lowest, and most trusted, part of the computing stack: the CPU itself. Now that the dust has settled, what are the implications for modern web development? In this session, Neil Madden looks at the legacy of the Spectre attack and goes through the latest guidance from browser vendors about how best to protect your apps against these complex vulnerabilities.

Deep dive into self-contained tokens and JWTs

Security expert Neil Madden explains self-contained tokens and JWTs in detail.

Interviews & Podcasts

As an established expert, Neil is often invited on to podcasts. A selection of recent appearances are linked below.

IEEE Software Engineering Radio ep 383

Neil Madden, author of the API Security in Action book and Security Director of ForgeRock, discusses the key technical features of securing an API. Host Gavin Henry spoke with Madden about API versus Web App security, choice of authentication tokens, the various security models you can follow, NIST-800-92, ISO27001, STRIDE, CIA Triad, audit log best practices, mistakes that have been made, what to log, how to protect yourself from bad users, when to log something, the benefits of HTTPS, using Encrypted JWT, which is harder; API or Web App dev and the ongoing security battle of change.

Coding over Cocktails

With APIs designed to be automated and used by machines, they become easy targets for automated attacks and vulnerabilities as well. This episode, we find out what it takes for web APIs to be secure as they are rolled out. Joining us is active IETF member and author of "API Security in Action" Neil Madden, who discusses the dangers that an API is exposed to, its security mechanisms, and secure coding practices to keep your API safe from attacks.


On April 19th 2022, Neil Madden disclosed a vulnerability in many popular Java runtimes and development kits. The vulnerability, dubbed "Psychic Signatures", lies in the cryptography for ECDSA signatures and allows an attacker to bypass signature checks entirely for these signatures. How are popular cryptographic protocol implementations in Java affected? What's the state of Java cryptography as a whole? Join Neil, Nadim and Lucas as they discuss.