Security and authentication | ChipFoundryServices

Home› Knowledge Base› Security and authentication

Security and authentication for AI APIs encompasses protecting access, data, and systems from unauthorized use and attacks — implementing API key management, OAuth flows, encryption, rate limiting, and AI-specific defenses like prompt injection protection to secure LLM applications against both traditional and novel threats.

Why API Security Matters

Access Control: Prevent unauthorized API usage.
Data Protection: Keep user data and prompts confidential.
Cost Protection: Avoid API abuse that runs up bills.
Compliance: Meet regulatory requirements (GDPR, HIPAA).
Trust: Security failures destroy user confidence.

Authentication Methods

API Keys:

# In request header
headers = {
    "Authorization": "Bearer sk-abc123...",
    "Content-Type": "application/json"
}

# Server-side validation
def validate_key(request):
    key = request.headers.get("Authorization")
    if not key or not key.startswith("Bearer "):
        return False
    api_key = key[7:]  # Remove "Bearer "
    return is_valid_key(api_key)

OAuth 2.0 (For user authorization):

Flow:
1. User redirected to auth provider
2. User grants permission
3. App receives authorization code
4. App exchanges code for access token
5. Use token for API calls

Best for: User-facing applications

JWT (JSON Web Tokens):

import jwt

# Create token
token = jwt.encode(
    {"user_id": "123", "exp": expiry_time},
    SECRET_KEY,
    algorithm="HS256"
)

# Validate token
try:
    payload = jwt.decode(token, SECRET_KEY, algorithms=["HS256"])
    user_id = payload["user_id"]
except jwt.ExpiredSignatureError:
    return "Token expired"
except jwt.InvalidTokenError:
    return "Invalid token"

API Key Best Practices

Never Hardcode Keys:

# ❌ Bad
api_key = "sk-abc123..."

# ✅ Good
import os
api_key = os.environ["OPENAI_API_KEY"]

# ✅ Better (using dotenv)
from dotenv import load_dotenv
load_dotenv()
api_key = os.environ["OPENAI_API_KEY"]

Key Management:

Practice              | Implementation
----------------------|----------------------------------
Rotation              | Change keys periodically
Scoping               | Limit key permissions
Monitoring            | Track usage per key
Revocation            | Ability to invalidate instantly
Secrets Manager       | Use AWS Secrets, HashiCorp Vault

.gitignore:

# Never commit these
.env
*.pem
*_key.json
secrets.yaml

Rate Limiting

Implementation:

from fastapi import Request, HTTPException
from collections import defaultdict
import time

# Simple in-memory rate limiter
request_counts = defaultdict(list)

async def rate_limit(request: Request):
    client_ip = request.client.host
    now = time.time()
    
    # Clean old requests
    request_counts[client_ip] = [
        t for t in request_counts[client_ip] 
        if now - t < 60
    ]
    
    # Check limit
    if len(request_counts[client_ip]) >= 100:  # 100/minute
        raise HTTPException(429, "Rate limit exceeded")
    
    request_counts[client_ip].append(now)

Response Headers:

X-RateLimit-Limit: 100
X-RateLimit-Remaining: 45
X-RateLimit-Reset: 1677652288

LLM-Specific Security

Prompt Injection Defense:

def sanitize_input(user_input: str) -> str:
    # Remove potential injection patterns
    suspicious = [
        "ignore previous instructions",
        "system prompt",
        "reveal your",
        "disregard"
    ]
    for pattern in suspicious:
        if pattern.lower() in user_input.lower():
            raise SecurityError("Suspicious input detected")
    return user_input

PII Handling:

import re

def mask_pii(text: str) -> str:
    # Mask emails
    text = re.sub(r'\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b', 
                  '[EMAIL]', text)
    # Mask phone numbers
    text = re.sub(r'\b\d{3}[-.]?\d{3}[-.]?\d{4}\b', 
                  '[PHONE]', text)
    # Mask SSN
    text = re.sub(r'\b\d{3}-\d{2}-\d{4}\b', 
                  '[SSN]', text)
    return text

Output Filtering:

def filter_response(response: str) -> str:
    # Prevent system prompt leakage
    if system_prompt_fragment in response:
        return "[Response filtered for security]"
    
    # Check for harmful content
    if content_classifier.is_harmful(response):
        return "I cannot provide that information."
    
    return response

Defense in Depth

Layer           | Protection
----------------|----------------------------------
Network         | TLS, firewall, DDoS protection
Application     | Input validation, output filtering
Authentication  | API keys, OAuth, JWT
Authorization   | Role-based access control
Monitoring      | Logging, alerting, anomaly detection

Security Checklist

□ All traffic over HTTPS/TLS
□ API keys in environment variables, not code
□ Rate limiting implemented
□ Input validation and sanitization
□ Output filtering for sensitive data
□ Audit logging enabled
□ Regular key rotation
□ Least privilege access
□ Security headers (CORS, CSP)
□ Dependency vulnerability scanning

Security and authentication are foundational for trustworthy AI services — as LLM APIs handle sensitive data and powerful capabilities, robust security practices protect users, organizations, and the broader ecosystem from misuse and attack.

api securityauthenticationoauthjwtapi keysrate limitingprompt injection defenseencryption

Explore 500+ Semiconductor & AI Topics

From EUV lithography to CUDA optimization — search the full knowledge base or chat with our AI assistant.

🔍 Search Topics 💬 Ask CFSGPT 📚 Browse All