APIs, Integrations, and Automation — Lesson 2
Authentication, Permissions, and OAuth
Learning Objectives
- 1Explain API keys, tokens, and OAuth in plain language.
- 2Apply the principle of least privilege to API integrations.
- 3Identify security risks in integration permissions.
Why APIs need authentication
APIs need to know who is making each request and what they are authorized to do. Without authentication, anyone could access your customer data, create records, delete information, or abuse your systems. Authentication is the process of proving identity; authorization is the process of verifying what that identity is allowed to do.
The simplest form of API authentication is an API key — a unique string of characters that identifies the requesting system. API keys should be treated like passwords: stored securely, never shared publicly, and rotated periodically. Exposing an API key in public code or a shared document can give unauthorized access to your systems.
OAuth: delegated access without sharing passwords
OAuth is a standard that lets a user authorize one application to access their data in another application without sharing their password. When an app asks you to "Connect with Google" or "Sign in with Microsoft," it is using OAuth to get limited access to your account.
OAuth is important for business integrations because it provides granular permission control. Instead of giving an integration full access to everything, OAuth can limit it to specific actions — read-only access to contacts, or the ability to create calendar events but not read email.
When setting up OAuth integrations, review the permissions being requested. If a tool that only needs to read your calendar is asking for permission to send emails, read contacts, and access files, those excessive permissions are a security risk. Grant the minimum access needed for the integration to function.
Least privilege and permission management
The principle of least privilege means giving each integration only the permissions it needs to do its job and nothing more. An integration that syncs contacts needs read access to contacts. It does not need the ability to delete contacts, access financial data, or modify user accounts.
Permission management becomes more important as you add more integrations. Each new connection is a potential security surface. Review active integrations periodically. Remove integrations that are no longer used. Update permissions when an integration purpose changes. Know who authorized each connection and what access it has.
Credential management matters at the organizational level. API keys and OAuth tokens should be stored securely, not in spreadsheets or shared documents. When an employee who set up an integration leaves, their credentials should be rotated. When a vendor relationship ends, their API access should be revoked immediately.
Case Study
The over-permissioned integration
Situation
A marketing team connected a lead enrichment tool to their CRM using an admin-level API key. The tool only needed to read and update contact records, but the admin key gave it access to delete records, export all data, and modify system settings. When the enrichment tool had a bug that duplicated records, the admin access made the damage much worse than it needed to be.
Analysis
The integration was set up by someone who used the easiest option — the admin key they already had — rather than creating a limited key with only the necessary permissions. A read-and-update-only key would have prevented the bulk duplication and the risk of data deletion.
Takeaway
Always create dedicated credentials for integrations with the minimum permissions needed. Never reuse admin credentials for automated connections.
Reflection Questions
- 1. How many third-party tools have API access to your organization systems? Do you know what permissions each one has?
- 2. When was the last time someone reviewed and revoked unused integrations at your organization?
Key Takeaways
- ✓API authentication proves identity; authorization controls what actions are allowed.
- ✓OAuth enables delegated access without sharing passwords — review the permissions it requests.
- ✓Apply least privilege: give integrations only the access they need.
- ✓Review, rotate, and revoke API credentials regularly, especially when people leave.