Customer login controls prove that a person authenticated, while API access governance controls what that identity or delegated application can do next. In open banking, the second problem is broader because access may continue through tokens, scopes, and partner integrations after the login event ends. Teams need both layers, but they are not the same control.
Why This Matters for Security Teams
Customer login controls and API access governance are often discussed together, but they answer different security questions. Login controls establish that a user authenticated, usually through MFA, password policy, or session protection. API governance decides whether that identity, delegated app, or partner integration can call a specific endpoint, use a token, or keep acting after the login event ends. That distinction matters in open banking, where consent, scopes, and token lifetimes can outlive the interactive session.
Security teams that collapse the two layers into one control frequently overestimate coverage. A strong login policy does not prevent an over-scoped token from moving money, reading account data, or impersonating a trusted integration. NHI governance guidance in the Top 10 NHI Issues and the NIST Cybersecurity Framework 2.0 both point toward treating identity proofing, authorisation, and lifecycle control as separate disciplines. In practice, many security teams discover this gap only after a partner token is abused or a consent chain is used in ways the original login review never anticipated.
How It Works in Practice
Customer login controls sit at the edge of the user journey. They verify that a person is who they claim to be, often using password strength, MFA, device checks, and session timeout. API access governance begins after authentication and governs what may happen next: which resource can be reached, which scope is valid, whether the call is allowed from a specific client, and how long a token remains useful.
In a well-governed open banking design, these layers are intentionally separated. The interactive login establishes the customer session, but API access is typically mediated by OAuth consent, tightly bounded scopes, short-lived tokens, and partner registration controls. Good practice is to map the customer’s intent to the minimum viable permissions, then enforce those permissions at runtime rather than assuming the login event itself is sufficient. That is why the OWASP Non-Human Identity Top 10 is useful here: the risky asset is often not the login, but the secrets, tokens, and service-to-service paths that continue operating afterwards.
- Use login controls for authentication assurance, not for endpoint authorisation.
- Use consent, scope, and token TTL to limit API reach.
- Review delegated applications and partner integrations separately from human user access.
- Log token issuance, refresh, revocation, and anomalous endpoint use as distinct events.
The NHIMG Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is especially relevant because API governance usually fails at the handoff between initial consent and downstream credential lifecycle. These controls tend to break down when token exchange, refresh flows, and third-party delegation are chained across multiple platforms because no single control owner sees the full path.
Common Variations and Edge Cases
Tighter API governance often increases integration friction, so organisations have to balance customer experience against abuse resistance. That tradeoff becomes visible in open banking, where customer consent may be legitimate but still too broad for the least-privilege model.
One common edge case is delegated access through a third-party app. The login happened in one system, but the governing risk sits in a separate client credential, refresh token, or partner API key. Another is service-mediated access, where a customer action triggers backend calls that no longer resemble the original login context. Current guidance suggests treating those pathways as separate identities and reviewing them against the Ultimate Guide to NHIs — Regulatory and Audit Perspectives. The same principle is reinforced by NIST Cybersecurity Framework 2.0: authentication, authorisation, and monitoring must be independently defensible.
There is no universal standard for this yet, especially where consent receipts, OAuth scopes, and partner contracts overlap. The safest pattern is to govern the login, the token, and the API separately, then reconcile them through continuous monitoring and revocation. A recent NHIMG review on 52 NHI Breaches Analysis shows why that matters: attacks often succeed after the authentication event, not at it.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | API tokens and secrets outlive login events, creating classic NHI lifecycle risk. |
| NIST CSF 2.0 | PR.AA-01 | Separates authentication from authorisation, which is the core distinction here. |
| CSA MAESTRO | Delegated access and runtime policy are central to secure agent and API governance. |
Inventory tokens, rotate secrets, and revoke stale API credentials independently of user login controls.
Related resources from NHI Mgmt Group
- What is the difference between role-based access and API key governance for NHI security?
- What is the difference between human IAM controls and NHI governance?
- What is the difference between attack surface management and NHI governance?
- What is the difference between reviewing human access and reviewing NHIs?
