By NHI Mgmt Group Editorial TeamPublished 2026-05-05Domain: Workload IdentitySource: Curity

TL;DR: API examples show how teams can apply OAuth tokens, JWT validation, client assertions, and mTLS across common languages and frameworks to secure APIs, serverless functions, and event-driven integrations, according to Curity. The practical message is that API security still depends on explicit identity controls, not framework convenience.


At a glance

What this is: Curity has compiled coding examples for securing APIs with OAuth, JWTs, client assertions, and mutual TLS across multiple languages and frameworks.

Why it matters: For IAM and security teams, the value is in seeing how identity controls translate into implementation patterns for APIs, workloads, and service-to-service access.

👉 Read Curity's API security examples for OAuth, JWTs, and client assertions


Context

OAuth API security is not a single pattern. It spans token validation, request authorization, client authentication, and transport trust, and the implementation details change across Java, .NET, Python, Go, serverless, and event-driven systems. The identity governance question is how these controls stay consistent as APIs multiply.

The common failure mode is assuming the application framework or API gateway will carry the security burden on its own. In practice, teams still need to decide which identities can present tokens, which requests require stronger client proof, and how much trust belongs in each integration path.

For NHI programmes, these examples sit in the operational layer where service identities, application credentials, and API access policies intersect. The governance challenge is not whether APIs use OAuth, but whether the identity model behind them is explicit, reviewable, and resilient.


Key questions

Q: How should security teams govern OAuth-secured APIs across multiple languages and frameworks?

A: Start by standardising the identity rules, not the code samples. Every API should define how tokens are validated, which claims matter, what scope means in business terms, and whether stronger caller proof is required. The framework can differ, but the trust model should stay consistent across services.

Q: When does a bearer token create too much risk for API access?

A: Bearer tokens become high risk when the API protects sensitive data, supports privileged actions, or runs in distributed systems where interception or replay is plausible. If possession of the token is enough to act, you should consider stronger caller binding such as client assertions or mutual TLS.

Q: What do teams get wrong about JWT-based API security?

A: The common mistake is treating JWT validation as the full security control. Validation proves the token is authentic and unexpired, but it does not automatically prove the request is appropriate. Teams still need scope checks, audience restrictions, and business-level authorisation.

Q: How do serverless APIs change identity governance requirements?

A: Serverless systems make identity decisions more granular because each invocation is short-lived and frequently chained to events or messages. Teams need to verify that identity context survives correctly across hops, and that every boundary reasserts the right caller, audience, and expiry conditions.


Technical breakdown

OAuth token validation in API request flows

API security with OAuth usually begins with validating the access token, then checking claims such as issuer, audience, scope, and expiry before the request reaches business logic. JWTs are common because they let the API verify token integrity locally, but that only works if signing keys, token lifetimes, and audience rules are tightly controlled. A validated token is not the same as an authorised action. The API still has to map token content to the actual permission model used by the service.

Practical implication: align token validation rules with the API’s authorisation model, not just with authentication success.

Client assertions and stronger machine authentication

Client assertions let an API client prove its identity with a signed credential rather than relying only on bearer-token possession. That matters when the client is itself a non-human identity, because bearer tokens are easy to replay if exposed. Client assertions raise the bar by binding the caller to a stronger cryptographic trust relationship, often alongside OAuth flows. This is especially relevant for higher-risk APIs, where the server needs evidence that the caller is the intended workload or integration, not just something holding a valid token.

Practical implication: use client assertions where API access needs proof of caller identity, not only proof of token possession.

Serverless and event-driven API identity boundaries

Serverless APIs and event-based systems change the security problem because the code executes in short-lived runtime contexts while the identity trust decision happens earlier. JWT validation at each function call or message boundary can keep access decisions explicit, but it also means every invocation inherits the quality of the upstream identity issuance process. In event-driven designs, the challenge is preserving identity context across asynchronous hops without turning every hop into a blind trust relay. That requires careful token propagation, audience design, and expiry discipline.

Practical implication: treat each serverless invocation or event hop as a separate identity decision point, not as a continuation of trust.


NHI Mgmt Group analysis

API security is an identity problem before it is an application problem. These examples show that the control surface is not the endpoint language, but the identity evidence attached to each request. JWTs, OAuth scopes, client assertions, and mTLS are all ways of expressing trust in machine traffic. The practitioner conclusion is that API protection only holds when identity rules are explicit enough to survive framework changes.

Bearer-token trust is too weak for many non-human identities. When an access token alone is enough to act, the security model assumes possession equals authority. That works poorly for high-value APIs, service-to-service calls, and automation where token theft or replay can collapse the intended boundary. The implication is that API governance must distinguish between ordinary callers and workloads that need stronger proof of identity.

Named concept: request-scoped identity enforcement. The useful pattern here is to bind authorisation to each API call, not to a broad session assumption. That reduces the chance that one successful authentication becomes open-ended access across endpoints, serverless invocations, or message consumers. Practitioners should design for identity checks that remain visible at the request boundary.

These examples fit the broader shift from human-centric access control to workload-centric governance. Human IAM tools often assume interactive login, but API traffic is usually automated, repeated, and integrated into other systems. That makes lifecycle management, credential assurance, and scoped authorisation more important than UX-driven identity features. The practitioner conclusion is that API identity design should be governed as workload identity, not as a user access problem.

Curity’s examples are useful because they expose implementation choices, not just policy intent. Teams do not fail because they lack a concept like OAuth. They fail when the token format, validation point, or client trust method does not match the operational risk. The field needs more disciplined mapping between identity controls and API execution models.

From our research:

  • 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation, according to The State of Secrets Sprawl 2026.
  • AI-related credential leaks surged 81.5% year-over-year in 2025, with the surrounding AI infrastructure leaking 5x faster than core LLM providers, according to GitGuardian.
  • Use the Guide to the Secret Sprawl Challenge to connect API credential handling with rotation, exposure, and revocation discipline.

What this signals

Request-scoped identity enforcement: API programmes are moving toward controls that bind trust to each request rather than to a broad authenticated session. That shift matters because API traffic is increasingly machine-driven, and machine traffic fails differently from human logins. Teams should watch for places where bearer tokens, service credentials, or event handlers still assume stable, reviewable access paths.

The governance implication is that workload identity and API security are converging. When APIs are implemented through serverless functions, message queues, or internal services, the trust decision sits in the identity layer as much as in the application layer. That is where NIST Cybersecurity Framework 2.0 thinking is useful, especially around protect and detect functions.

Practitioners should expect more pressure to prove caller identity with cryptographic evidence, not just token presence. In environments where the 64% secret-validity problem persists, weak API identity controls become an exposure multiplier. The programme question is whether your APIs are designed to revoke trust quickly enough when credentials escape.


For practitioners

  • Map every API to an explicit identity trust model Classify each API by caller type, token type, validation point, and whether the service accepts bearer tokens, client assertions, or mTLS. Use that map to spot endpoints where identity proof is weaker than the data or action being protected.
  • Separate authentication proof from authorisation scope Check that JWT validation, scope enforcement, and business permissions are not being treated as the same control. The token should establish who or what is calling, while the API logic should decide what that identity may actually do.
  • Harden machine-to-machine access with stronger caller proof Prefer client assertions or mutual TLS where replay risk or token exposure would create excessive blast radius. Reserve bearer-only flows for low-risk integrations with short lifetimes and limited privilege.
  • Treat serverless and event flows as separate trust boundaries Review whether each function invocation, queue consumer, or message handler rechecks identity context instead of inheriting trust from the first caller. Verify that audience, expiry, and token propagation rules match the runtime boundary.

Key takeaways

  • API security in these examples is fundamentally about how identity evidence is checked at the request boundary.
  • JWTs and OAuth scopes help, but they do not replace stronger caller proof where replay or privilege exposure would be costly.
  • Teams should govern APIs as workload identity systems, with explicit trust models, scope rules, and boundary-specific revalidation.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-01API clients and service credentials are non-human identities in this article.
NIST Zero Trust (SP 800-207)PR.AC-4The article centers on request-level verification and least-privilege access decisions.
NIST CSF 2.0PR.ACOAuth, JWT, and client assertion controls map directly to access control governance.

Document API authentication and authorisation rules under Protect, then test them continuously.


Key terms

  • Bearer Token: A bearer token is a credential that grants access to whoever presents it. In API security, that makes possession the critical trust signal, which is why exposure or replay can be so dangerous. Stronger binding methods reduce the chance that the token alone becomes enough to act.
  • Client Assertion: A client assertion is a signed proof that the caller is the intended application or workload. It strengthens machine authentication by binding the request to cryptographic evidence rather than simple token possession. That makes it useful where replay risk or privileged access would be unacceptable.
  • Request Boundary: A request boundary is the point at which an API decides whether to accept, reject, or further constrain an incoming action. It is the natural place to validate identity, audience, scope, and expiry. In distributed systems, every boundary should be treated as a separate trust decision.

What's in the full article

Curity's full article covers the operational detail this post intentionally leaves for the source:

  • Concrete code examples for securing APIs in Java, .NET, Python, Go, Kotlin, Node.js, Spring Boot, Symfony, and Flask.
  • Implementation patterns for JWT validation, OAuth request authorisation, client assertions, and mutual TLS in real application code.
  • Serverless and event-driven examples showing how identity checks work at invocation and message boundaries.
  • Architecture and customer-story material that helps teams translate the patterns into larger identity and API designs.

👉 Curity's full article includes language-specific implementation examples and API architecture context.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-05-05.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org