Securing APIs¶
Veterans share their data with the VA and trust that it will be safe. As such, the commitment to safeguarding that data must extend beyond compliance with federal regulatory obligations. Due to the open nature of APIs, selecting the correct authentication method is essential to mitigating risks, preventing unauthorized access, and ensuring the integrity and reliability of VA's data systems, all while facilitating secure and seamless data exchange for authorized users.
API Key or OAuth 2.0?¶
APIs that involve user authentication, personally identifiable information (PII), protected health information (PHI), or scoped or time-limited access will use OAuth 2.0. Otherwise, the API will use an API key.
The flowchart below assists in determining the appropriate option to use.
Flowchart for determining authentication requirements. It starts with 'Start,' leading to a decision diamond asking, 'Requires user authentication?' If 'No,' it proceeds to another decision diamond asking 'Produces or Consumes PII or PHI?' If 'No' again, it proceeds to another decision diamond asking 'Consumers need scoped or short-term access?' if ‘No’, it leads to 'API Key.' If the answer is 'Yes' at any decision point, it moves to 'OAuth 2.0.'