How APIs call other APIs without turning into a credential-sharing nightmare: token exchange, OBO, and least-privilege delegation.
Why this matters
IAM has shifted from static controls (users + groups) to dynamic, signal-driven decisioning. This topic is modern because it focuses on:
- short-lived credentials and continuous verification
- delegated authorization (least privilege across services)
- non-human identities (workloads + automation)
- real-world attack paths and operational controls
Key concepts
- Actors: who is making the request (human, workload, agent).
- Credentials: what proves identity (passkeys, certs, tokens).
- Policy: what is allowed (roles, attributes, relationships).
- Signals: what can change the decision (risk, device posture, location).
- Enforcement: where access is actually enforced (gateway, app, API, data layer).
In practice
- Start with a simple “happy path” flow.
- Add the failure modes (expired token, revoked session, missing entitlement).
- Add observability: correlation IDs, audit events, and alerting.
Common pitfalls
- Treating authentication as the whole problem (authorization and session control are usually the hard parts).
- Long-lived tokens/keys for automation.
- No ownership/approval path for high-risk access.
- No story for incident response (how do you remove access fast?).
Where to go next
- Specifications: /category/specifications
- Identity for AI: /category/identity-for-ai
- Identity Security: /category/identity-security
- PAM: /category/pam