API Security Guide

Robility’s robust security mechanisms provide a foundation for safe and efficient automation workflows. These measures ensure that communication between Manager, Designer, and Runner remains secure and reliable. 

1. Authentication and Authorization

a. OAuth 2.0 Authentication: Robility APIs leverage OAuth 2.0 for secure token-based authentication.   
b. User Authentication: Access requires valid credentials or API keys, with support for Multi-Factor Authentication (MFA) for enhanced security. 
c. Role-Based Access Control (RBAC): Permissions are assigned based on user roles, ensuring that only authorized individuals can perform specific actions. 

2. TLS Encryption 

a. Encrypted Communication: All API communications between Manager, Designer, and Runner are encrypted using HTTPS with TLS.
b. Certificate Validation: Certificates are validated by Manager to ensure secure connections and prevent unauthorized access. 

3. Session Management 

a. Token-Based Authentication: Sessions are secured with time-limited tokens. Refresh tokens allow for seamless re-authentication. 
b. Automatic Session Timeout: Sessions automatically expire after a set period of inactivity to reduce risks. 

4. Data Security 

a. Payload Encryption: Sensitive data within API requests and responses is encrypted to prevent unauthorized access.
b. Secure Data Storage: Credentials and other sensitive information are stored in encrypted formats. 

5. Input Validation 

a. Sanitized Inputs: All API inputs are validated and sanitized to prevent injection attacks like SQL injection or cross-site scripting (XSS). 
b. API Rate Limiting: Throttling mechanisms are in place to prevent overuse and mitigate denial-of-service (DoS) attacks. 

6. Secure Manger Hosting 

a. Tenant Data Isolation: In multi-tenant deployments, each tenant’s data is logically isolated to maintain privacy and security.  

Best Practices for API Security 

1. Use strong, unique passwords and enable MFA for all accounts.
2. Regularly update and rotate API keys and access tokens.  
3. Monitor audit logs for unusual activity and configure alerts for anomalies.  
4. Limit API access to specific IP ranges or VPNs.  
5. Regularly review and update permissions to ensure minimal access for each role.