With the growth of cloud native applications, developers increasingly rely on APIs to make everything work. But security often lags behind, making APIs an attractive target for bad actors looking to access valuable business data. OAuth, a powerful framework for API security, offers tools to protect sensitive business data and enforce dynamic access controls. But to harness its full potential, you need more than standards—you need strategies for adapting to evolving security demands.

Designed for developers, architects, and security professionals, this guide provides everything you need to secure APIs in the cloud native era—ensuring your business data stays protected. You'll learn how to combine OAuth's token-based model with cloud native platforms like Kubernetes to build a scalable, zero trust security architecture. With OAuth, you can go beyond simple allow/deny rules and create security policies that align with business needs, while Kubernetes provides best-in-class deployment patterns to keep systems secure and efficient.

• Understand why user identity must be part of your cloud native security stack
• Discover how to integrate user identity into APIs
• Learn to externalize security and secure data access using OAuth
• Uncover methods for running security components in a Kubernetes cluster
• Get the latest security best practices for client applications and APIs

Table of Contents

Part I. Introducing Cloud Native OAuth

Chapter 1. Why Do You Need OAuth?

Chapter 2. OAuth 2.0 Distilled

Chapter 3. Security Architecture

Chapter 4. OAuth Data Design

Part II. Securing APls with Tokens

Chapter 5. Secure API Development

Chapter 6. Access Token Design

Chapter 7. Secure Access Tokens

Chapter 8. Proxies, Gateways, and Sidecars

Chapter 9. Entitlements

Part Ill. Operating Cloud Native OAuth

Chapter 10. Workload Identities

Chapter 11. Managing a Cloud Native Authorization Server

Part IV. Securing API Clients

Chapter 12. OAuth for Native Applications

Chapter 13. OAuth for Browser-Based Applications

Chapter 14. User Authentication

About the Authors

Gary Archer has worked as a lead developer and architect for 20 years, providing investment banking solutions. This work included leading the design for many OAuth-based migrations and gaining an understanding of the code simplicity it can enable, as well as the learning curve faced by engineering teams in a distributed security architecture. His experience also includes extensive onsite support of complex business systems. Gary has worked at Curity for the last few years in a role focused on teaching many end-to-end security flows, including web, mobile, and API components and how to integrate them with security components.

Judith Kahrer's interest in security and identity started in high school. She believed that security is a critical element of the future of IT, a belief she still holds today. She has worked in different technical roles throughout her career and gained experience in various levels of security, from high-tech protocols to low-tech policies. Thanks to this diverse background, she excels in translating and explaining technical details related to but not limited to OAuth and OpenID Connect in blogs, articles, tutorials, webinars, and so on.

Michal Trojanowski is a Product Marketing Engineer at Curity. He has over 15 years of experience working as a developer in various technologies and languages. He's no stranger to backends, frontends, APIs, or mobile apps. That experience has helped him turn to his current role, where he helps people better understand authentication, OAuth, OpenID Connect, or JWTs. Keen to share his knowledge of identity and security-related topics.