How to Discuss API Security in English

Learn the English vocabulary and phrases security-conscious developers use to discuss API security — OAuth2, JWT, rate limiting, BOLA, mTLS, and CORS in professional context.

API security is a topic every backend developer encounters — in code reviews, security audits, incident postmortems, and architecture discussions. English-language security discussions have their own vocabulary and communication patterns. This post covers the terms and phrases you need to talk about API security professionally and precisely.

Key Vocabulary

OAuth2 Flow OAuth2 is an authorization framework with multiple “flows” (also called grant types) for different scenarios: authorization code flow for web apps, client credentials flow for server-to-server, device flow for limited-input devices. Developers “implement,” “use,” or “configure” OAuth2 flows. Example: “For the internal microservice communication we use the client credentials flow, not the authorization code flow — there is no user involved.”

JWT Validation JWT (JSON Web Token) validation is the process of verifying a token’s signature, expiry time, issuer, and audience claims. Developers “validate,” “verify,” or “decode” JWTs. Improperly skipping validation is a critical vulnerability. Example: “The middleware validates the JWT on every request by checking the signature against our public key and confirming the aud claim matches our API.”

Rate Limiting Rate limiting controls how many requests a client can make in a given time window. When the limit is exceeded, the API returns a 429 Too Many Requests response. Developers “implement,” “configure,” or “enforce” rate limiting. Example: “We implemented rate limiting at 100 requests per minute per API key and return a Retry-After header with the 429 response.”

API Key Rotation Key rotation is the practice of regularly replacing API keys to limit the damage from a compromised key. Developers “rotate,” “invalidate,” and “reissue” API keys. Rotation can be manual or automated. Example: “Our security policy requires API key rotation every 90 days — we built automation that rotates keys and updates the secret manager without downtime.”

CORS Policy CORS (Cross-Origin Resource Sharing) policy controls which browser origins are allowed to call the API. A misconfigured CORS policy can expose sensitive endpoints to malicious websites. Developers “define,” “configure,” and “tighten” CORS policies. Example: “The CORS policy only allows requests from our production frontend domain — wildcard origins are forbidden in the production environment.”

mTLS (Mutual TLS) In mutual TLS, both the client and the server present certificates to authenticate each other. It is used for service-to-service communication in zero-trust architectures. Developers “configure,” “enable,” or “enforce” mTLS. Example: “All internal service-to-service calls use mTLS so that a compromised pod cannot impersonate another service without a valid certificate.”

BOLA / IDOR Broken Object-Level Authorization (BOLA), also called Insecure Direct Object Reference (IDOR), is the most common API vulnerability: a user can access or modify another user’s resources by manipulating an ID in the request. Developers “check for,” “prevent,” and “patch” BOLA vulnerabilities. Example: “The code review caught a BOLA vulnerability where the /orders/{id} endpoint was not checking that the order belongs to the authenticated user.”

Input Validation Input validation checks that all incoming data matches expected types, ranges, formats, and lengths before processing it. Developers “perform,” “enforce,” and “implement” input validation, often using schema validators. Example: “We enforce strict input validation on the search endpoint to prevent injection attacks — any field that fails the schema check returns a 422.”

Common Phrases and Collocations

“the token has expired” The standard phrase when a JWT or session token is past its expiry time. Use “expired” not “outdated” or “old” in security context. Example: “The client received a 401 because the access token had expired — it needs to use the refresh token to obtain a new one.”

“rotate the API key” The action of replacing an existing key with a new one. Always “rotate” in security discussions. Example: “Rotate the API key immediately if there is any suspicion it has been exposed in logs or a public repository.”

“the request was rejected due to rate limiting” The standard way to explain a 429 response in incident reports or API documentation. Example: “Several requests were rejected due to rate limiting during the load test — we need to increase the limit for the batch processing client.”

“tighten the CORS policy” Used when making CORS restrictions more restrictive. “Tighten” conveys security improvement; “loosen” conveys relaxing restrictions. Example: “Before the production launch, tighten the CORS policy to only allow your verified frontend domains.”

“enforce least privilege” A security principle where API clients are granted only the minimum permissions they need. Developers “apply,” “enforce,” or “implement” least privilege. Example: “The read-only reporting service should use an API key that enforces least privilege — no write or delete permissions.”

Practical Sentences to Practice

  1. “The penetration test found a BOLA vulnerability in the invoice endpoint — we patched it by adding an ownership check against the authenticated user’s ID.”
  2. “We migrated from API keys to OAuth2 client credentials flow for all service-to-service communication.”
  3. “Input validation on the upload endpoint rejects files larger than 10 MB and returns a 413 status with a descriptive error message.”
  4. “After the key rotation, update the secret in the CI environment variables and redeploy the affected services.”
  5. “The mTLS configuration requires services to present a certificate signed by our internal CA — self-signed certificates are rejected.”

Common Mistakes to Avoid

Saying “authenticate” when you mean “authorize” Authentication verifies who you are (checking a JWT signature). Authorization verifies what you are allowed to do (checking permissions). BOLA is an authorization problem, not an authentication problem. Use the correct term in security discussions.

Saying “the API is secure” without qualification Security is never absolute. In professional communication, say “the endpoint validates authentication and enforces object-level authorization” rather than “it is secure.” This shows you understand the layers involved.

Using “block” instead of “reject” for rate limiting Firewalls “block” traffic. Rate limiting “rejects” or “throttles” requests and returns a response (429). Using “block” implies the connection was dropped silently, which is a different behavior.

Summary

API security discussions in English rely on precise vocabulary: OAuth2 flows, JWT validation, rate limiting, BOLA, mTLS, CORS policies, and the principle of least privilege. Using these terms correctly in code reviews, security tickets, and architecture documents signals that you understand security concepts deeply, not just superficially. The OWASP API Security Top 10 is an excellent resource for both security knowledge and professional English — it is written clearly, uses consistent vocabulary, and provides realistic scenarios that mirror real-world team discussions.