API Security: OAuth 2.0, JWT, and mTLS in Microservices
Defense-in-Depth for Fintech APIs
Layered API security architecture for production microservices — from OAuth scopes at the edge to mTLS for service-to-service communication, with practical patterns from Mastercard-scale fintech systems.
Defense in Depth
In fintech, security isn't a single layer — it's concentric rings. At Mastercard, we implemented: Akamai CDN for edge WAF and DDoS protection, APIGW for OAuth token validation and rate limiting, service-level OAuth scope checks for authorization, and mTLS for inter-service communication. Each layer assumes the previous may be compromised.
OAuth Scopes for Fine-Grained Authorization
OAuth scopes are your authorization contract with API consumers. Design scopes around operations, not resources: `account:read`, `account:write`, `pan:register`. In Spring Security, map scopes to method-level security with @PreAuthorize. The key insight: validate scopes at the API gateway AND in the service — defense in depth means not trusting the gateway alone.
Tags