BLACKSHIELD

Public Guide

How BlackShield Protects APIs and Tenant Boundaries (OWASP API Top 10: 2023)

BlackShield protects its APIs with authenticated access, role checks, rate limits on sensitive flows, and audit trails for evidence access and administrative changes. Audience: Security architects, AppSec reviewers, buyers, and compliance stakeholders. Typical setup time: 12-15 minutes.

trust

Use this if

BlackShield protects its APIs with authenticated access, role checks, rate limits on sensitive flows, and audit trails for evidence access and administrative changes.

Audience
Security architects, AppSec reviewers, buyers, and compliance stakeholders
Typical time
12-15 minutes

Before You Begin

  • Identify the API questions the buyer or reviewer is asking about authorization and abuse controls.
  • Have the admin surfaces and `/audit` available so you can answer with product behavior.
  • Collect recent evidence for rate limiting, access control, and API review cadence.

Guide walkthrough

Step 1

Authentication and authorization in BlackShield

The buyer should be able to point to the exact classes of actions that require authentication and elevated roles.

  • Administrative routes such as `/identity`, `/tenant-rights`, and API key management require authenticated admin access.
  • Read and export permissions are split so not every user who can view data can export evidence.
  • Customer data queries run in the signed-in workspace context rather than a shared global view.

What success looks like

Customer data queries run in the signed-in workspace context rather than a shared global view.

Step 2

Abuse protections BlackShield already applies

This is where BlackShield should answer “what stops brute force, spam, or destructive misuse?”

  • Login, onboarding, token refresh, and OIDC exchange endpoints are rate-limited.
  • Identity writes, API key writes, and tenant deletion are separately rate-limited as sensitive actions.
  • Ingestion endpoints enforce tenant rate limits so one customer cannot push unlimited scan volume unchecked.

What success looks like

Ingestion endpoints enforce tenant rate limits so one customer cannot push unlimited scan volume unchecked.

Step 3

How BlackShield gives you proof the controls are working

A buyer should be able to validate the control story with exported evidence and audit history.

  • Use `/audit` to filter administrative and access events by actor, action, and time range.
  • Use identity audit in `/identity` to review OIDC and SCIM changes separately from the general audit log.
  • Use the same audit and admin surfaces during renewal or incident review so the buyer sees a repeatable control path.

What success looks like

Use the same audit and admin surfaces during renewal or incident review so the buyer sees a repeatable control path.

What success looks like

  • Reviewers can explain which BlackShield routes require admin roles and which flows are rate-limited.
  • Authorization and audit evidence can be pulled from product, not recreated manually.
How BlackShield Protects APIs and Tenant Boundaries (OWASP API Top 10: 2023) | BlackShield Docs