Securing Didit API Access with JWTs and Microservices

Robust Authentication with JWTsJSON Web Tokens (JWTs) offer a secure, stateless, and scalable method for authenticating microservices interacting with Didit's API, ensuring that each request is properly authorized without relying on session-based state.

Microservice Architecture for Enhanced SecurityImplementing microservice patterns for API access allows for granular control over permissions, isolation of sensitive operations, and improved resilience against security breaches.

Managing API Keys SecurelyAPI keys, like those provided by Didit, are critical for initial access and should be treated with utmost care, stored securely, and rotated regularly to minimize risk.

Didit's Developer-First Approach Simplifies IntegrationDidit provides a developer-friendly platform with programmatic login, clear API documentation, and a modular architecture that simplifies the integration of secure authentication and authorization patterns for identity verification workflows.

In today's interconnected digital landscape, securing API access is paramount, especially when dealing with sensitive identity verification data. As businesses increasingly adopt microservice architectures and rely on external services like Didit for identity verification, robust authentication and authorization mechanisms become non-negotiable. This blog post delves into how JSON Web Tokens (JWTs) and microservice patterns can be leveraged to secure your interactions with Didit's API, ensuring data integrity and compliance.

The Importance of Secure API Access for Identity Verification

Identity verification involves handling highly sensitive personal information. Any compromise of API access could lead to severe data breaches, regulatory penalties, and a loss of customer trust. Therefore, implementing stringent security measures is not just a best practice; it's a necessity. Didit, as an AI-native identity platform, processes critical data for services like ID Verification, Passive & Active Liveness, and AML Screening. Ensuring that only authorized microservices can access this data is fundamental to maintaining a secure ecosystem.

Traditional authentication methods, such as basic authentication or session cookies, can present challenges in a microservice environment due to their stateful nature and potential for scalability issues. This is where JWTs shine, offering a stateless, self-contained, and cryptographically signed token for authentication and authorization.

Leveraging JSON Web Tokens (JWTs) for API Authentication

JWTs are an open, industry-standard RFC 7519 method for representing claims securely between two parties. They are particularly well-suited for microservice architectures because they are:

• Stateless: The server doesn't need to store session information. Each JWT contains all the necessary information, reducing server load and improving scalability.
• Self-contained: JWTs carry information about the user and permissions, eliminating the need for multiple database queries for each API call.
• Cryptographically signed: The signature ensures that the token hasn't been tampered with, providing integrity and authenticity.

When interacting with Didit's API, your microservice can obtain an access token through programmatic login. Didit's Auth API allows for programmatic login with email and password for API accounts, returning access and refresh tokens directly. This process is designed to be agent-friendly, enabling seamless integration without browser-based interactions. The returned access_token is then included in the Authorization header of subsequent API requests to Didit, granting access to specific functionalities based on the token's embedded claims.

For example, after a successful programmatic login, you might receive an access_token that grants your microservice permission to initiate ID Verification sessions or retrieve results from AML Screening. The expiration time (expires_in) included in the token response dictates how long the token is valid, necessitating a refresh mechanism using the refresh_token to maintain continuous access.

Microservice Patterns for Enhanced Security and Scalability

Adopting microservice patterns significantly enhances API security by promoting modularity and isolation. Instead of a monolithic application with a single point of failure, microservices allow you to segregate different functionalities, applying specific security policies to each. Here are some key patterns:

• API Gateway: An API Gateway acts as a single entry point for all API requests, routing them to the appropriate microservice. It can handle authentication, rate limiting, and request validation before forwarding requests, adding a crucial layer of security.
• Service-to-Service Authentication: When microservices need to communicate internally, they should also authenticate and authorize each other. This often involves using internal JWTs or other secure tokens.
• Least Privilege Principle: Each microservice should only have the necessary permissions to perform its designated tasks. For instance, a microservice responsible for initiating ID Verification should not have access to sensitive customer databases, and vice-versa.
• Secrets Management: API keys, database credentials, and other sensitive information should be stored in a dedicated secrets management system (e.g., HashiCorp Vault, AWS Secrets Manager) rather than hardcoded in the application.

Didit's architecture aligns perfectly with these patterns. Its modular nature means you can integrate specific identity primitives—like ID Verification, Passive & Active Liveness, or NFC Verification—into dedicated microservices. This allows you to build highly secure and scalable workflows. For instance, one microservice might handle the initial user onboarding (using Didit's ID Verification), while another might periodically run compliance checks (utilizing Didit's AML Screening & Monitoring).

Managing API Keys and Credentials Securely

While JWTs handle ongoing authentication, the initial access to Didit's API, especially for programmatic registration and email verification, often involves API keys and client IDs. Didit's programmatic email verification endpoint, for example, returns not only access tokens but also an api_key and client_id upon successful verification. These credentials are vital.

Best practices for managing these credentials include:

• Secure Storage: Never hardcode API keys directly into your codebase. Use environment variables, configuration management tools, or dedicated secrets management services.
• Rotation: Regularly rotate your API keys. If a key is compromised, frequent rotation limits the window of exposure.
• Principle of Least Privilege: Ensure that the API key used by a microservice only has the permissions required for its specific tasks.
• Monitoring: Monitor API key usage for any anomalous activity that might indicate a compromise.

Didit's developer-first approach simplifies this by providing clear documentation on how to obtain and use these credentials securely, making it easier for developers to integrate robust security practices from the outset.

How Didit Helps

Didit is engineered to be an AI-native, developer-first identity platform, making it incredibly easy to integrate secure verification into your microservice architecture. Our platform is built on open, modular identity primitives, allowing you to compose verification workflows precisely to your needs. With Didit, you get:

• Programmatic API Access: Our Auth API enables programmatic login and credential retrieval (client_id, api_key, access_token) without human intervention, ideal for automated microservice deployments.
• Modular and Composable Services: Integrate specific identity checks like ID Verification, Passive & Active Liveness, 1:1 Face Match, AML Screening & Monitoring, or Age Estimation as needed, giving you granular control over data access and processing.
• Developer-First Ecosystem: An instant sandbox, comprehensive public documentation, and clean APIs ensure that securing your integration is straightforward and efficient.
• Free Core KYC: Start building and testing your secure microservice integrations with Didit's Free Core KYC, allowing you to implement robust security patterns without upfront costs.
• No Setup Fees: Our transparent pricing model means you only pay for successful verifications, further lowering the barrier to entry for secure, scalable identity solutions.

Didit acts as your data processor, and you remain the data controller, giving you full control over data retention policies. You can configure retention periods from 1 month to 10 years, or even manually delete individual sessions directly from the Business Console, supporting your GDPR and local data protection obligations.

Ready to Get Started?

Ready to see Didit in action? Get a free demo today.

Start verifying identities for free with Didit's free tier.