11 Securing service-to-service APIs
- Authenticating services with API keys and JWTs
- Using OAuth2 for authorizing service-to-service API calls
- TLS client certificate authentication and mutual TLS
- Credential and key management for services
- Making service calls in response to user requests
11.1 API keys and JWT bearer authentication
11.2 The OAuth2 client credentials grant
11.2.1 Service accounts
11.3 The JWT bearer grant for OAuth2
11.3.1 Client authentication
11.3.2 Service account authentication
11.4 Mutual TLS authentication
11.4.1 How TLS certificate authentication works
11.4.2 Client certificate authentication
11.4.3 Verifying client identity
11.4.4 Using a service mesh
11.4.5 Mutual TLS with OAuth2
11.4.6 Certificate-bound access tokens
11.5 Managing service credentials
11.5.1 Kubernetes secrets
11.5.2 Key and secret management services
11.5.3 Avoiding long-lived secrets on disk
11.5.4 Key derivation
11.6 Service API calls in response to user requests
11.6.1 The phantom token pattern
11.6.2 OAuth2 token exchange
11.7 Summary