The B2B SaaS Founder's Security Playbook

API Security for SaaS Products

Your API Is Your Product

If you're building a B2B SaaS product, your API isn't a feature - it's the product. Even if your customers primarily use your web interface, everything under the hood is API calls. And increasingly, your most valuable customers want direct API access for integrations, automation, and workflows.

That makes your API security posture a direct business concern. A compromised API means compromised customer data. An unreliable API means lost customer trust. A poorly designed API means security vulnerabilities that compound as your customer base grows.

This chapter covers the practical API security decisions that SaaS founders need to make - not academic threat modeling, but the specific things that get exploited in real SaaS products.

Authentication: The Front Door

Every API request must be authenticated. No exceptions. Even "public" API endpoints should be authenticated to enable rate limiting, abuse detection, and usage tracking.

API Key Authentication

The simplest approach, appropriate for server-to-server integrations where the client is trusted.

Request:
  GET /api/v1/users
  Authorization: Bearer sk_live_a1b2c3d4e5f6...

Server-side validation:
  1. Extract key from Authorization header
  2. Hash the key (SHA-256)
  3. Look up hash in database
  4. Verify key is active and not expired
  5. Load associated permissions
  6. Process request

Security requirements for API keys:

  • Generate with at least 256 bits of entropy
  • Store only the hash, never the plaintext
  • Support key rotation (multiple active keys per account)
  • Include environment prefixes (sk_live_ vs sk_test_)
  • Log all key usage for audit purposes
  • Support per-key permission scoping

OAuth 2.0 Authentication

For third-party integrations where a user authorizes an external application to access your API on their behalf.

When to use OAuth 2.0 vs. API keys:

Scenario Use API Keys Use OAuth 2.0
Customer's own server calls your API Yes No
Third-party app accesses customer's data No Yes
Webhook verification Yes (signing keys) No
Mobile app calls your API No Yes
Internal microservice communication Yes (or mTLS) No

Implementing OAuth 2.0 Securely

If you implement OAuth 2.0, get these details right:

  • PKCE (Proof Key for Code Exchange): Required for all public clients (mobile, SPA). Recommended for confidential clients too.
  • State parameter: Always validate to prevent CSRF attacks on the authorization flow
  • Redirect URI validation: Exact match only - never use wildcard or partial matching
  • Token lifetime: Access tokens 15-60 minutes, refresh tokens 7-30 days
  • Token storage: Access tokens in memory (for SPAs), refresh tokens in HttpOnly secure cookies
  • Scope limitation: Issue tokens with minimum required scopes

Rate Limiting: Your First Line of Defense

Rate limiting isn't just about protecting your servers from overload. It's a critical security control that prevents credential stuffing, API scraping, and denial of service.

Rate Limiting Strategy

Rate Limiting Tiers:

Global:       10,000 requests/minute across all endpoints
              Purpose: Protect infrastructure

Per-API-Key:  1,000 requests/minute per key
              Purpose: Fair usage, prevent abuse

Per-Endpoint: Varies by sensitivity
              Authentication endpoints: 10/minute per IP
              Data export endpoints: 5/minute per key
              Standard CRUD endpoints: 100/minute per key
              Read-only endpoints: 500/minute per key

Per-User:     100 requests/minute per user
              Purpose: Prevent compromised account abuse

Implementation Details

Return proper rate limit headers so clients can self-regulate:

HTTP/1.1 200 OK
X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 847
X-RateLimit-Reset: 1711548300

HTTP/1.1 429 Too Many Requests
Retry-After: 30
X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1711548300
Tip

Use a sliding window rate limiter, not a fixed window. Fixed windows allow bursts at window boundaries (2x the limit if timed correctly). Sliding windows prevent this.

Input Validation: Trust Nothing

Every piece of data that enters your API is potentially malicious. Validate everything.

The Validation Checklist

Input Type Validation Example
Strings Max length, allowed characters, encoding Username: 3-50 chars, alphanumeric + underscore
Numbers Range, type (integer vs. float) Page size: integer, 1-100
Emails Format validation, domain verification RFC 5322 format, active MX record
URLs Scheme validation, domain allowlist HTTPS only, no internal IPs
Dates Format, range, timezone handling ISO 8601, not in the future
Arrays Max length, element validation Tags: max 20 items, each 1-50 chars
Objects Known keys only, recursive validation Reject unexpected fields
File uploads Type verification, size limit, content scanning PDF only, max 10MB, AV scan

Preventing Injection

SQL injection remains the most common API vulnerability. The prevention is simple: never construct SQL queries with string concatenation. Use parameterized queries or an ORM for every database interaction.

# VULNERABLE - SQL injection
@app.route('/api/users')
def search():
    name = request.args.get('name')
    query = f"SELECT * FROM users WHERE name = '{name}'"
    return db.execute(query)

# SECURE - parameterized query
@app.route('/api/users')
def search():
    name = request.args.get('name')
    query = "SELECT * FROM users WHERE name = %s"
    return db.execute(query, (name,))

Beyond SQL injection, watch for:

  • Command injection: Never pass user input to shell commands
  • SSRF: Validate and restrict URLs that your server fetches on behalf of users
  • Path traversal: Never use user input in file paths without sanitization
  • NoSQL injection: NoSQL databases are vulnerable too - validate query operators

The OWASP API Security Top 10

The OWASP API Security Top 10 (2023 edition) lists the most critical API security risks. Here's how each applies to SaaS products:

1. Broken Object Level Authorization (BOLA)

The most common API vulnerability. Your API returns data based on an ID parameter, and you don't verify that the authenticated user has access to that specific object.

# VULNERABLE
GET /api/invoices/12345
# Returns invoice 12345 regardless of who's asking

# SECURE
GET /api/invoices/12345
# Verify: Does the authenticated user's organization own invoice 12345?
# If not: return 403 Forbidden

Fix: Check object ownership on every request. Use middleware that automatically validates resource ownership against the authenticated user's organization.

2. Broken Authentication

Weak authentication mechanisms - no rate limiting on login, weak token generation, tokens that don't expire, missing MFA options.

Fix: See the authentication section above. Use battle-tested auth libraries or platforms.

3. Broken Object Property Level Authorization

Your API returns more data fields than the user should see. A regular user requests their profile and gets admin-only fields like internal_notes or billing_details.

Fix: Define response schemas per role. Never return database objects directly - transform them through a serialization layer that filters fields based on the requester's permissions.

4. Unrestricted Resource Consumption

No rate limiting, no pagination limits, no query complexity restrictions. An attacker can request all records, trigger expensive computations, or exhaust your resources.

Fix: Implement rate limiting (covered above). Set maximum page sizes. Limit query complexity. Set timeouts on database queries.

5. Broken Function Level Authorization

An authenticated user can access admin API endpoints. Your API has /api/admin/users/delete and relies on the UI to hide it from non-admins - but the endpoint itself doesn't check permissions.

Fix: Authorization checks on every endpoint, not just in the UI. Use middleware that maps roles to allowed endpoints.

6. Unrestricted Access to Sensitive Business Flows

Your API allows automated abuse of business workflows - mass account creation, automated purchasing, rapid content scraping.

Fix: Rate limiting, CAPTCHA for sensitive flows, behavioral analysis for bot detection.

7. Server Side Request Forgery (SSRF)

Your API accepts URLs from users and fetches them server-side (for webhooks, link previews, file imports). An attacker provides internal network URLs to scan your infrastructure.

Fix: Validate and restrict URLs. Block internal IP ranges (10.x.x.x, 172.16-31.x.x, 192.168.x.x, 169.254.x.x). Use an allowlist for permitted domains where possible.

8. Security Misconfiguration

Verbose error messages, default credentials, unnecessary HTTP methods enabled, missing security headers, CORS misconfiguration.

Fix: Use a security header checklist, return generic error messages to clients (log details server-side), disable DEBUG mode in production, review CORS configuration.

9. Improper Inventory Management

Old API versions still running, undocumented endpoints, test endpoints exposed in production.

Fix: Maintain an API inventory. Sunset old versions with a deprecation schedule. Use API gateways that route only documented endpoints.

10. Unsafe Consumption of APIs

Your application consumes third-party APIs without validating their responses. If a third-party API is compromised, your application trusts the malicious data.

Fix: Validate all external API responses. Don't pass external data to SQL queries or shell commands. Set timeouts and error handling for external API calls.

Warning

BOLA (Broken Object Level Authorization) is by far the most common API vulnerability in SaaS products. It's easy to miss because the API works correctly for the happy path - it just doesn't check whether the requester should have access to the requested resource. Test every endpoint with a user from a different organization.

Common SaaS API Mistakes

Beyond the OWASP Top 10, these mistakes are specific to SaaS products:

Mistake 1: Inconsistent Tenant Isolation

Some endpoints check tenant ownership, some don't. This is usually because different developers built different endpoints at different times, and there's no central enforcement.

Fix: Implement tenant isolation at the middleware level, not per-endpoint. Every request should have the tenant context set before the endpoint handler runs.

Mistake 2: Webhook Security Gaps

Your application sends webhooks to customer-specified URLs. If you don't sign the webhook payload, customers can't verify it came from you. If you follow redirects, attackers can use your webhook system for SSRF.

Fix: Sign every webhook with an HMAC using a per-customer secret. Include a timestamp to prevent replay attacks. Don't follow redirects. Set a timeout on webhook delivery.

Mistake 3: Bulk Operations Without Limits

Your API supports bulk create/update/delete operations. No limit on batch size means a single API call can create a million records or delete an entire dataset.

Fix: Set maximum batch sizes (100-1000 items per request). Implement async processing for large operations. Return progress status for long-running operations.

Mistake 4: Verbose Error Messages

// BAD - reveals internal details
{
  "error": "PostgreSQL error: relation 'users' does not exist",
  "stack": "at QueryRunner.execute (/app/node_modules/...)"
}

// GOOD - useful but not revealing
{
  "error": "An internal error occurred. Reference: err_a1b2c3",
  "code": "INTERNAL_ERROR"
}

Detailed error messages help attackers understand your infrastructure. Log the details server-side and return a reference ID the customer can share with support.

Mistake 5: No API Versioning Strategy

You change an API response format and break every customer integration simultaneously.

Fix: Version your API from day one (/api/v1/). Support at least two versions simultaneously. Give customers 6-12 months notice before deprecating a version.

Security Headers Checklist

Every API response should include these security headers:

Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Type: application/json
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Cache-Control: no-store

For API responses that might be accessed from browsers:

Content-Security-Policy: default-src 'none'
X-XSS-Protection: 0  (disabled - CSP is the modern replacement)

API Security Testing: Making It Practical

Security testing for APIs needs to be automated, continuous, and integrated into your development workflow. Here's a practical approach.

In the Development Pipeline

Developer writes code
        |
        v
Pre-commit: Secrets scanning (detect API keys in code)
        |
        v
PR Review: SAST scan (detect SQL injection, XSS, etc.)
        |
        v
CI/CD: Dependency vulnerability scan (known CVEs)
        |
        v
Staging: DAST scan (test running API for vulnerabilities)
        |
        v
Production: Runtime monitoring (detect exploitation attempts)

Tools That Work

Stage Tool Options What They Catch
Secrets scanning GitLeaks, TruffleHog, GitHub Secret Scanning API keys, credentials in code
SAST Semgrep, CodeQL, SonarQube Injection flaws, auth issues in code
Dependency scanning Snyk, Dependabot, Trivy Known CVEs in dependencies
DAST OWASP ZAP, Burp Suite, Nuclei Runtime vulnerabilities in deployed APIs
API-specific testing Postman (security tests), Akto API-specific vulnerabilities (BOLA, auth bypass)

The key is automation. Manual security testing is valuable (do annual penetration tests) but doesn't scale. Automated scanning in every PR catches the common issues before they reach production.

Writing Security Tests

Add explicit security test cases alongside your functional tests:

  • Test that User A cannot access User B's resources (tenant isolation)
  • Test that unauthenticated requests return 401 (not 200 or 500)
  • Test that requests with expired tokens are rejected
  • Test that rate limits are enforced
  • Test that input exceeding length limits is rejected
  • Test that SQL injection payloads in parameters don't cause errors
  • Test that admin endpoints reject non-admin tokens

These tests take a few hours to write and prevent entire classes of vulnerabilities from reaching production.

Monitoring and Logging

Log every API request with enough context for security investigation:

API Request Log Entry:
  timestamp: 2026-03-27T14:15:23.456Z
  request_id: req_abc123
  method: GET
  path: /api/v1/users
  status: 200
  duration_ms: 45
  ip: 203.0.113.42
  user_agent: "MyApp/2.1"
  api_key_id: key_xyz789 (last 4 chars only)
  organization_id: org_456
  user_id: usr_123
  response_size: 4521
  rate_limit_remaining: 847

Alert on:

  • Authentication failures above threshold (credential stuffing)
  • 403 responses above threshold (authorization probing)
  • Unusual traffic patterns (scraping, enumeration)
  • Requests from new geographic locations per API key
  • API usage outside business hours for customer accounts that are always business-hours only
Note

For a comprehensive guide to API security in the context of identity and access management, see Deepak Gupta's article on securing APIs in IAM.

Webhook Security

If your SaaS sends webhooks to customer-specified endpoints, webhook security is critical. An insecure webhook implementation can be used for SSRF attacks, data exfiltration, and spoofing.

Signing Webhooks

Every webhook payload should be signed with an HMAC so the recipient can verify authenticity:

Webhook Signature Flow:

1. Generate a per-customer webhook signing secret
2. When sending a webhook:
   - Compute HMAC-SHA256(secret, timestamp + "." + payload)
   - Include the signature and timestamp in headers
3. Customer verifies:
   - Recompute the HMAC with their stored secret
   - Compare signatures
   - Check timestamp is recent (reject if older than 5 minutes)

Webhook Security Checklist

  • Sign all webhook payloads with HMAC-SHA256
  • Include a timestamp to prevent replay attacks
  • Generate unique signing secrets per customer
  • Allow customers to rotate signing secrets with overlapping validity
  • Don't follow redirects when delivering webhooks
  • Set delivery timeouts (5-10 seconds maximum)
  • Implement retry logic with exponential backoff
  • Don't include sensitive data in webhook payloads (send IDs, let them fetch details via API)

The Bottom Line

API security for SaaS isn't about perfection - it's about getting the fundamentals right and improving continuously. Authenticate every request. Validate every input. Check authorization on every object. Rate limit everything. Log what matters.

These aren't complex engineering challenges. They're discipline. The SaaS companies that get compromised aren't usually missing sophisticated security controls - they're missing the basics. Start with the basics, and you'll be ahead of most of your competitors.