Last but not least is security. First of all, all APIs should use SSL. Requests sent over plain HTTP should fail.

For authentication, there are several approaches. The most basic version is to use basic  HTTP so that API clients can use a randomly generated access token as the value of the username field of HTTP basic authentication. Another approach is to support OAuth2 so that end users can grant access to third-party applications to access their data via the APIs. Sometimes, these two approaches won't work or are not ideal. For example, you might require the API clients to pass extra information during authentication. In such a case, you can use JWT (short for JSON Web Tokens), which is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between the API clients and the server as a JSON object. This doesn't mean to use JWT as a replacement of HTTP session.

The three authentication approaches described previously are for public APIs. For the internal APIs of the TaskAgile application, we will use Spring Security.

Besides authentication, the following are other security considerations:

• Never expose security-related information in URLs, such as usernames, passwords, session tokens, and API keys, since URLs can be captured in web server logs
• Always validate the input parameters of an API and fail the request immediately when there is a validation error