All Categories API Security Testing What are the API specifications of GraphQL and REST APIs?

What are the API specifications of GraphQL and REST APIs?

By Deepraj R
September 4, 2022

The major difference between GraphQL and REST APIs is that, in GraphQL, the configuration is set for the queries, and in REST API, the configuration is set for the APIs.  

Global authorization

What is an authorization?

Authorization is the process of restricting and permitting access to resources and allowing only certain users or user groups to conduct specific actions defined for them. This ensures that data is accessed securely by the client requests.

What is a global authorization?

Global authorization feature allows us to do the same, but it will be set across the individual application/API globally. Also, it is used to enable the authorization for the non-privileged users. Additionally, if another authorization (with or without a role) is enabled, that authorization will take precedence/priority.

As an addon note, in global authorization, you can only choose one from any of the authorization types available.


Types of available authorization types

1. API key 

An API key is an encrypted string which is used to authorize an application to access an API with no trustee/actual user. The application combines the key with each API requests and it is used to identify the application and to authorize the request.  

Also, how the key is sent differs with respect to the APIs. And the “keys” and its corresponding “values” are added to the “Header” and “Query Params” depending on the functionality. 

2. Bearer token 

Authentication with bearer tokens is simply an HTTP authentication scheme which works simply like
“enable access to the bearer of this particular token.” 

It allows the client requests to be authenticated using a security token/access key, which includes the JWT (JSON Web Token). The token is simply a ciphered text string that is included in the request header.  

3. Basic auth 

As the name conveys, basic auth is the simple authentication scheme built into the Hyper Text Transfer Protocol (HTTP). It will contain the username and password to authorize the client request with the server, to allow access to the protected resource.  

4. OAuth 2.0 

OAuth 2.0 is the advanced version of OAuth which allows the client request in added security. OAuth depends on the “flows” (also known as grant types) authentication – enabling to share the protected resources without revealing their credentials. The OAuth 2.0 server generates access tokens which allow client applications to access the protected data stored in the servers. For more insights on OAuth 2.0, refer to oauth.net and RFC 6749.  


Global headers 

What is a header? 

The function of API headers is to resemble the metadata related to the API request and response. Simply it provides the additional information related for each API call generated, making the troubleshooting much more simplified.  

API headers are primarily based on a “key-value pair” and are visible in the message body which is usually seen after the request or response string.  

What is a global header?

Global header feature allows us to do the same, but it will be set across the individual asset globally. Additionally, if local header is enabled for the asset, the precedence will be to the local one. 


Global variable

What is a variable? 

A variable (as the name symbolizes) is used to give a reference to a value, a variable, a valid URL, or an XSLT XPath statement. Variable was introduced to development or testing with the purpose of enhancing the ease of usage by declaring “a unique short keyword for a long value.”  

What is a global variable? 

Global variable feature will set the variable across the individual asset globally for the entire project or application. It helps to access data from collections, requests, and environments with the predefined key-to-value pair. 


API authorization 

What is an API authorization? 

API authorization is used to ensure only the legitimate users are allowed to access or perform action upon the data; thereby to prevent unauthorized data access.  

Types of API authorization

  1. Role-based authorization

A role-based authorization allows you to permit and restrict the data for the pre-defined user roles according to its confidentiality. In Beagle Security, you can define any number of authorizations with a unique name and the authorization type (API key, bearer token, basic auth, and OAuth 2.0).

After defining the authorization, you can configure these to define the individual user roles and provide the keys, values, and other parameters according to the authorization type you have already chosen.

  1. Authorization without role 

The authorization without role is to authorize the users to access the data securely based on the parameters provided in the authorization type (API key, bearer token, basic auth, and OAuth 2.0) and it doesn't require any user roles. Also, you can add any number of authorization types with unique names and parameters according to the requirement in this tab. 


APIs 

Call it the API control panel or the cabin (your wish and our command).  

As mentioned earlier, the APIs menu is your all-in-one control panel in which you can perform view, edit, add, delete, and even duplicate operations upon the APIs as an individual or as a group.  

Also, you can click the “Send” button to get a response for the API request with its configurations to ensure it is working. 


API role map 

You can find the complete list of APIs in the current working application and can perform bulk configurations and define authorizations upon every APIs in a much-simplified interface.


Import log

The import logs menu enables you to see all the issues of the API configurations. It helps to have a glance at the errors and conflicts in a simplified user interface so that debugging the conflicts gets much easier.

Was this article helpful?