Skip to content

Comments

Add API-based authentication lifecycle section#2022

Open
Alvi24-hub wants to merge 1 commit intoOWASP:masterfrom
Alvi24-hub:add-api-auth-lifecycle-section
Open

Add API-based authentication lifecycle section#2022
Alvi24-hub wants to merge 1 commit intoOWASP:masterfrom
Alvi24-hub:add-api-auth-lifecycle-section

Conversation

@Alvi24-hub
Copy link

@Alvi24-hub Alvi24-hub commented Feb 21, 2026

This PR introduces a new subsection titled:

"Where Authentication Decisions Should Occur in an API-Based System"

The goal is to provide architectural context for API-first systems by describing:

  • A simplified API authentication request lifecycle
  • Where authentication and authorization decisions occur
  • Separation of login, middleware, and risk-based controls

This change does not modify any existing recommendations.
It connects existing guidance into a clearer architectural model.

Additional responsibility breakdown (login endpoint, middleware, token refresh, risk escalation) will be submitted in follow-up PRs.

Part of #2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kwwall kwwall Awaiting requested review from kwwall kwwall is a code owner

@mackowski mackowski Awaiting requested review from mackowski mackowski is a code owner

@jmanico jmanico Awaiting requested review from jmanico jmanico is a code owner

@szh szh Awaiting requested review from szh szh is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Alvi24-hub