Back to training

API Access Control Workshop


This is an opinionated workshop on how to design and implement access control for APIs.

API keys are an easy and commonly used technique. However, the security guarantees afforded are very limited. JSON Web Tokens (JWT)  are much more granular and need not rely on shared keys.

Since token validation and authorization logic are cross-cutting concerns typically requiring distinct skills, it is desirable to separate them from the business logic implementing resources to be accessed. In this course, we implement the latter on AWS Lambda while AWS API Gateway is configured to serve as the guard, a.k.a. Policy Enforcement Point (PEP), in a serverless architecture.

We set up an AWS Cognito User Pool to issue JWTs that afford access to our APIs and implement a Single Page Application (SPA) in React that obtains those JWTs from the authorization server via OAuth and OpenID Connect protocols. Alternative grants and flows are compared and we discuss when to use which.

Good security does not detract from the User eXperience (UX). Hence we discuss techniques to make access control (almost) invisible to the user.

The workshop combines live coding by the instructor and hands-on work from participants. At the end of the workshop, all participants should master how to set up an authorization server, protect serverless APIs and how to call them from a rich client.

Who should attend

This 1-day workshop is aimed at developers, architects, testers and technical leads.

Why attend

Attend this workshop if you want to:

  • Understand threats to APIs
  • Design access control measures
  • Appreciate the extent and limitations of OAuth 2.0 and OpenID Connect
  • Understand security token validation steps to be taken
  • Choose an appropriate protocol to obtain security tokens

Course Outline


Protecting APIs

  • API keys
  • JWTs


  • Sharing API keys
  • OAuth 2.0
  • OpenID Connect

Authorization Servers

Architectural considerations

These concepts are taught using concrete implementations. For this course, the following technology stack will be used:

  • Resource server: AWS API Gateway and Lambda
  • Authorization server: AWS Cognito
  • Client: React


  • Participants should be familiar with REST API concepts
  • They should have access to an AWS account. All the exercises in the workshop can be done within the Amazon free tier
  • Participants should bring a laptop to this session running a REST client such as Postman or HTTPie
  • The laptop should also have Node.js version 8 installed, including editor or IDE
  • Participants should have notions of JavaScript. Knowledge of React is a bonus, but not essential
  • A barebones JavaScript client including a development server is provided ( as a starting point. Participants are encouraged to clone and install this project before the workshop

Practical details

  • Duration: 1 day
  • Training language: English / French / Dutch


Need a customized workshop? Contact us and we’ll adapt the content as required.