We’re implementing a comprehensive security policy for our c8y-1019 REST API integrations and want to ensure we’re following best practices. Our current approach uses basic OAuth2, but we need to strengthen token management and implement proper access controls. What authentication patterns have worked well for enterprise deployments? Interested in hearing about OAuth2 implementation details, token lifecycle management strategies, and how you’ve implemented granular access controls across different API endpoints.
Good points on token rotation and least privilege. How do you handle API keys for system-to-system integrations? We have several backend services that need persistent access without user interaction. Is OAuth2 client credentials flow the way to go?
Secrets management is critical. Use a proper secrets vault (HashiCorp Vault, AWS Secrets Manager) for storing client secrets and tokens. Never commit credentials to source control. Implement automatic secret rotation and alerting when secrets are accessed. We’ve caught several security incidents through vault audit logs.
Client credentials flow is perfect for service accounts. But add certificate-based authentication for high-security scenarios. We use mutual TLS for our most critical integrations. Also implement request signing (HMAC) for tamper detection. These layers complement OAuth2 nicely for zero-trust architecture.