What Is It?
Advanced API Protection allows endpoints to be locked down so that they will only respond to your official app, running in trusted environments, and nothing else. This blocks a wide range of attacks which are otherwise possible by spoofing API requests in various ways.
- Limited lifetime token based security with automatic token renewal
- Block all forms of API abuse by proving your official app is present
- Simple backend integration using industry standard JWTs
Securing Your APIs
Approov protects your backend APIs from API abuse, credential stuffing, fake botnet registrations, and DDoS attacks. And it protects the 3rd party APIs you use too.
Approov performs an ongoing, deep inspection of your mobile app and the device it is running upon, and based on this guarantees authenticity of requests to your backend APIs and services, using an Industry standard signed JSON Web Token (JWT).
Short Lived Cryptographic Tokens
Backend API Integration
Backend API integration is only necessary if you have your own API backend and are using Approov tokens. If you are using Approov to protect API keys using Runtime Secrets Protection then no backend API integration is needed at all.
Approov tokens are added to your API request headers, and your backend API systems need to be enhanced to verify these tokens. How you handle invalid or missing Approov tokens is up to you — you might reject the requests, rate limit the access, or enable additional security measures. Approov provides the flexibility to balance your security needs against API accessibility.
Token verification is straightforward because the tokens are in the industry standard JWT format. Your code just needs to make a library call to check that each token has been correctly signed for your account, and that it has not expired.