I'm trying to build a secure asp.net web api. You can find a lot of ways of how to secure your API, but I want to know what is the best way or the 'industry standard' to implement this for my case.

These are my requirements - The API will be used by a small number of third-party developers for websites/mobile apps etc. - Developers who want to use this API have to be given a key to access the API (Authorization) - Users (Visitors/consumers) have to login into the third-party apps to see their personalized information. - The API will use an ASP membership database for managing/authenticating the users.

I know it's possible to use http basic authentication for authenticating users, but how do I implement the authorization part of the API?

Is OAuth 2.0 a solution?

There is a very good article describing the authentication/authorization with token/key:

• Making your ASP.NET Web API’s secure

It also describes some other good practices regarding ASP.NET Web API security.

I would also suggest the use of the Thinktecture.IndentityModel.40 library that can support the following:

Base

• Base64Url encoding
• Epoch Date Time conversion
• Random number generation
• Time-constant string comparison

Claims

• Anoynmous claims principal
• Authentication instant claim
• Claims-based authorization

Constant

• Useful constants when dealing with algorithms, date time formats, JWT, SWT, WS-Security & WS-Trust

Extension Methods

• XML (to and from XmlReader, XmlDocument, XDocument)
• WS-Trust RSTRs
• Security token conversion
• X.509 Certificates