APiGen Security

Enterprise-grade security platform with multi-provider authentication, advanced authorization, account protection, and production-ready threat detection.

Overview

Securing modern APIs requires juggling multiple authentication methods, providers, and threat scenarios:

• ❌ Manual JWT implementation (token generation, validation, refresh flow, blacklisting)
• ❌ OAuth2 complexity (5+ providers with different configuration patterns)
• ❌ SAML headaches (metadata exchange, certificate management, SSO flows)
• ❌ 2FA boilerplate (TOTP secrets, WebAuthn ceremonies, SMS delivery)
• ❌ Rate limiting across instances (distributed state, algorithm selection)
• ❌ Account takeover prevention (anomaly detection, breach monitoring, device tracking)

APiGen Security solves this by providing:

• ✅ Unified authentication API across JWT, OAuth2, SAML, API Keys (one interface, 5+ methods)
• ✅ Multi-provider OAuth2 with zero boilerplate (Auth0, Keycloak, Azure AD, Okta, Cognito)
• ✅ Production-ready 2FA (TOTP, WebAuthn/FIDO2, SMS with backup codes)
• ✅ Distributed rate limiting (Bucket4j + Redis, 7 algorithms, per-user/IP/endpoint)
• ✅ Advanced account protection (anomaly detection, HIBP breach checking, suspicious login alerts)
• ✅ Secrets management (AWS Secrets Manager, HashiCorp Vault, Azure Key Vault)

Features

Authentication Methods

• JWT - Access + refresh token flow with HS512
• OAuth2 - Resource server with multi-provider support
• SAML 2.0 - Enterprise SSO with metadata exchange
• API Keys - Programmatic access with scopes and rotation
• Two-Factor Authentication (2FA) - TOTP, WebAuthn/FIDO2, SMS

Security & Protection

• Rate Limiting - Bucket4j with Redis for distributed limiting
• Token Blacklisting - Logout and revocation support
• Account Protection - Anomaly detection, suspicious login alerts
• Secrets Management - AWS, HashiCorp Vault, Azure Key Vault

Authorization

• Role-Based Access Control (RBAC) - Users, roles, permissions
• Scope-Based Permissions - Granular API key permissions
• Security Audit Logging - Track all authentication events

Usage

Gradle:

dependencies {
    implementation 'com.jnzader:apigen-security:1.0.0-SNAPSHOT'
}

Maven:

<dependency>
    <groupId>com.jnzader</groupId>
    <artifactId>apigen-security</artifactId>
    <version>1.0.0-SNAPSHOT</version>
</dependency>

Quick Start

1. JWT Authentication

Login:

curl -X POST http://localhost:8080/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "username": "user@example.com",
    "password": "password123"
  }'

Response:

{
  "accessToken": "eyJhbGciOiJIUzUxMiJ9...",
  "refreshToken": "eyJhbGciOiJIUzUxMiJ9...",
  "tokenType": "Bearer",
  "expiresIn": 900
}

2. OAuth2 Integration

Supported Providers:

• Auth0 - https://{tenant}.auth0.com/
• Keycloak - https://{host}/realms/{realm}
• Azure AD - https://login.microsoftonline.com/{tenant}/v2.0
• Okta - https://{org}.okta.com/oauth2/default
• AWS Cognito - https://cognito-idp.{region}.amazonaws.com/{userPoolId}

3. Rate Limiting

Per-User Tiers:

Tier	RPS	Burst	Use Case
FREE	10	20	Development
BASIC	50	100	Small apps
PRO	100	200	Production
ENTERPRISE	500	1000	High-traffic

4. Account Protection

Anomaly Detection:

• New device detection
• Geolocation anomalies
• Impossible travel (e.g., Madrid → Tokyo in 1 hour)
• Suspicious activity patterns

Automatic Actions:

• Email alerts for suspicious logins
• Account lockout after failed attempts
• Device fingerprinting
• IP reputation scoring