API Security

Web services are typically accessed from mobile applications directly and provide critical interfaces between systems in federated architectures. Airlock WAF and IAM combine their forces to provide in-depth API security.

Airlock WAF
RESTful web services often use JSON for data transfer. Airlock WAF’s integrated JSON parser allows the consistent application of security policies both to standard HTML form posts and REST calls.
Moreover, Airlock WAF provides a patent-pending1) dynamic whitelisting technique called DyVE (Dynamic Value Endorsement). DyVE allows the dynamic endorsement of selected attribute values within a session's scope. Subsequent REST calls must comply by using endorsed values for the selected attributes. As a simple example, consider online banking transactions. Using DyVE, it is possible for Airlock WAF to enforce transactions to only debit accounts previously offered by the banking server.

Mobile clients typically ignore cookies, which are traditionally used for secure session handling in web applications. In order to protect mobile sessions, Airlock WAF supports session management based on access tokens (e.g., Bearer tokens).
Airlock WAF's SOAP/XML filters also interpret WSDL and schema files to ensure that a web service API is used in the specified form.

Airlock IAM
Airlock IAM enables central authentication and authorization for mobile apps and other web service clients by implementing standards such as OAuth and OpenID Connect. Depending on the capabilities of the back-end service, Airlock IAM may propagate identities in different formats, e.g. using JWT or SAML. Moreover, Airlock IAM provides a REST API for user authentication, which can easily be integrated into custom mobile apps.


  • Protection of REST and SOAP webservices
  • Built-in support for JSON
  • OAuth 2.0 and OpenID Connect
  • Dynamic Value Endorsement (DyVE)
  • Session Management based on Access Tokens
  • REST API for user authentication

1) Swiss patent application filed for DyVE