In the last period I am working a lot in the development of API: either because the English startup moyd.co LTD of which are one of the founders sells a product based exclusively on API, either because the development of web products open and, therefore, able to integrate between them, is becoming a necessity for many customers is Italian and English.
Last month, besides, I was an attendee at APIcon UK 2014 and a talk by David Berling were highlighted some best practices for programming to improve the API security.
Working with API-based systems, we often found to have a centralized system that manages the authentication and returns a token. This token must be used in all API requests to validate that the user is actually connected.
The first tip is to use systems that implement the operating logic of OAuth2, that is, to have two tokens, not just one: In addition to classical token authentication, is also issued a refresh token. All API requests will include the authentication token whose expiration will not be extended to any query (unlike the sessions); indeed, it will have a very short deadline (10-15 minutes, to give an order); at the time of expiration, the API server will make a call to the authentication server with the second token which can give you two new tokens: one for authentication with short deadline and a new refresh token with the deadline extended.
More limited is the period of validity of the authentication token, the more security you will have.
It is a common practice to use a system level tool like fail2ban to block attempts to access through the so-called brute force attack. Using this daemon with our software API is not difficult, just logging the unauthorized access and configure fail2ban to monitor this file. Personally, though, I prefer to implement this feature in terms of code because, in addition to blocking the IPs that try to connect with incorrect credentials, you can establish the rate limit: with that, a particular IP will still be able generate a maximum of X calls in a given interval of time, even if duly authorized.