We are creating a SaaS product that allows companies to configure and organize the sale of a certain class of products / services. This product has an API in its core and an ecosystem of several applications around it. These include web applications (sites) that face the general public, a web-based CMS and an iOS application for sales people. Our customers can use them or create their own applications to talk with our API.
There has been a long debate among us about how the API should be secured. It has authentication (key / secret API for applications and user name / password for users) and authorization based on roles / permissions. At the moment, you can not get a useful API response (apart from its version) unless the requestor authenticates. This includes the endpoints that return data that is available to the general public, such as the list of items for sale.
The moot point is whether the API should require authentication for what are essentially public data.
The arguments for authentication:
- We can not simply keep the API open for whoever calls it, even if they can get the information anyway by exploiting public web applications. An open API can be subject to abuse or attacked cargo. It is better to control who has access when issuing keys / secrets by client application, which will be the first line of defense.
The arguments against authentication:
- It does not make sense to restrict access to what is publicly available anyway (through public access web applications that have a key / secret with the "public" role incorporated in them);
- Making the required authentication does not add value and only generates unnecessary overhead by requiring public applications to implement authentication clients, maintain keys / secrets and update authentication tokens. Applications should only authenticate against the API when a user needs to login (which some clients simply do not need since they use the guest payment process);
- Any abuse problem (for example, exceeding the limit of the request rate, load attacks, etc.) must be addressed by the DDoS protection layer, API internally, or both. Authentication is not the appropriate protection, since a malicious client could obtain the credentials of the application and create problems for the API anyway, not to mention that the rate of authentication attempts should also be limited.
Is any of the two previous positions horribly incorrect or would you laugh if you were to appear in the API market? Is there a correct approach here, or are both approaches sensible in terms of security and could they be selected based on other considerations such as the convenience / ease of implementation?