Notifications
Clear all
Topic starter
25/06/2026 5:05 pm
TL;DR: API security risks increase as organisations rely on API keys, tokens, and exposed endpoints, with Entro Security highlighting gaps in authentication, authorization, encryption, and secret rotation. The governance problem is not just API protection but whether identity and access controls can keep pace with machine-to-machine access at scale.
NHIMG editorial — based on content published by Entro Security: API security risks, testing, protection best practices
By the numbers:
- 98% of developers perceive APIs as crucial in aiding their and their team’s productivity.
- Secrets rotation should be automatically done at least every 90 days.
Questions worth separating out
Q: How should security teams govern API keys and tokens as identities?
A: Treat each API key, token, and client credential as a managed identity with an owner, a purpose, and a defined expiry.
Q: When do API security controls fail in practice?
A: They fail when authentication is weak, scopes are too broad, endpoints are exposed without validation, or secrets are copied into too many places to revoke quickly.
Q: How do organisations know if API secret rotation is actually working?
A: Rotation is working only if old credentials stop authenticating, secret scanners find exposures early, and runtime inventories show a short-lived credential footprint.
Practitioner guidance
- Inventory every API credential and owner Create a single list of API keys, JWT issuers, OAuth clients, and service accounts with the business owner, technical owner, scope, and revocation method for each identity.
- Enforce scope limits at issuance time Define the minimum callable resources before an API key or token is issued, and reject broad, reusable permissions that cannot be recertified cleanly later.
- Automate secret scanning and revocation Scan source code, configuration, and logs for exposed API secrets, then invalidate leaked credentials immediately instead of waiting for the next rotation cycle.
What's in the full article
Entro Security's full blog covers the operational detail this post intentionally leaves for the source:
- Detailed API key security best practices for authentication, authorization, and token handling across real environments
- Step-by-step guidance on HTTPS, input validation, rate limiting, and error handling for API protection
- Operational notes on secrets rotation, secret scanners, and dependency hygiene for exposed API credentials
- Examples of API governance policies for shadow API security and creator control
👉 Read Entro Security's analysis of API security risks and key protection practices →
API security risks: are your key controls keeping up?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
25/06/2026 5:35 pm
API key security is now identity governance, not just application hardening. Once API keys and tokens are the practical mechanism for access, the control question shifts from protecting code to governing machine identities. Authentication, authorization, rotation, and logging all become part of the same lifecycle problem. Practitioners should treat every API credential as a managed identity with an owner, purpose, and expiry.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases.
A question worth separating out:
Q: What should teams do when an API credential leaks?
A: Revoke the credential immediately, check where it was used, and look for copies in code repositories, build logs, and application configs before the next attacker retry. Then review the scope that made the leak damaging in the first place. The goal is containment first, then scope correction.
👉 Read our full editorial: API security risks expose the limits of key-based access controls
