Drop-in, dependency-free building blocks **and** the guidance to use them, for securing an HTTP / REST API. Every control that usually gets bolted on too late -- authentication, authorization, rate li
Browse the actual product documentation and code examples included in this toolkit.
Key features of API Security Framework
• **Backend / API engineers** who want correct, copy-pasteable implementations of • **Security engineers** reviewing or hardening an API and looking for a reference • **Tech leads** standardizing auth, rate limiting, and headers across services. • **Learners** who want to *understand* JWT verification, CORS, and rate limiting • **Pin, don't trust.** The JWT verifier is told which algorithm to use; it never • **Constant-time comparison.** Signatures are compared with `hmac.compare_digest`
**Backend / API engineers** who want correct, copy-pasteable implementations of
**Security engineers** reviewing or hardening an API and looking for a reference
**Tech leads** standardizing auth, rate limiting, and headers across services.
**Learners** who want to *understand* JWT verification, CORS, and rate limiting
**Pin, don't trust.** The JWT verifier is told which algorithm to use; it never
**Constant-time comparison.** Signatures are compared with `hmac.compare_digest`
Configure API Security Framework parameters to see how the product works.
# --- Python: each module self-tests when run directly --- python3 src/python/jwt_auth.py # verifies tokens; rejects alg:none, tamper, expiry python3 src/python/rate_limiter.py # token bucket + sliding window python3 src/python/input_validation.py # allow-list validation, mass-assignm