Accept all cookies
Cookie settings
×

We use cookies to improve your experience on our site. By using our site, you are agreeing to the collection and use of data as described in our Privacy Policy.

Cookie Settings×

Table of contents

H2 link
Add hundreds of integrations to your product through Merge’s Unified API
Get a demo
Just for you
API integration security: what it is and best practices
Why MCP token management falls short of your security needs

What are API access controls? Plus tips for adopting them

Jon Gitlin
Senior Content Marketing Manager
@Merge

API providers often provide access to a broad range of sensitive data through their endpoints, whether that’s related to employees, customers, business financials, and more.

To ensure that only the right individuals have access to confidential data, API providers and 3rd-party integration solutions can implement access controls (i.e., API access controls).

We’ll break down how API access controls work, highlight the benefits of adopting them, and share some best practices for using them. 

API access controls overview

API access controls are typically role-based permissions that an API provider can enforce once an account is successfully authenticated.

API access controls can include: 

  • Admin/Super Admin access: Once authenticated, the API provider allows the admin(s) to access all of the data in the application
  • Individual access: Once authenticated, the API provider allows specific users to have access to the data and functionality in the application that falls within their assigned roles or policies
Visual of API access controls

Note: Access control mechanisms can vary across API providers. While the access controls covered above are most common, some API providers might allow for other approaches, such as attribute-based access controls (which can include other dimensions, like IP address and/or time of day)

Examples of using API access controls

Here are just a few real-world applications of API access controls.

Enterprise AI search

Guru offers an enterprise AI search platform that helps employees search for and discover helpful information, whether that’s related to their PTO policy, a specific customer, the steps for resolving a billing issue—and much more.

To power their platform, they offer API-based integrations with customers’ file storage applications, ticketing tools, project management platforms, CRMs, among other types of systems. 

These integrations also use access controls to ensure that every employee only receives answers to questions that fall within their permissions in the integrated applications.

For example, if a document with information on a team’s offsite is accessible to any employee, an employee can use Guru to quickly find out when the offsite is happening.

Guru's enterprise AI search result for a question on when the team onsite is taking place

On the other hand, if a document on financial forecasts has restricted access, only employees with access to it can get answers related to future revenue forecasts.

Guru's enterprise AI search result for a question on the latest update on Q4 revenue

Compliance tasks

A compliance automation platform, like Drata, Kertos, or Thoropass, can use access controls from integrated ticketing systems to determine who can create and update compliance tickets (e.g., the director of IT). It can then use that information, alongside integrated HR data, to assign tasks to the right individuals automatically.

For example, say an employee who owned a compliance policy leaves the company (as determined by the customer’s integrated HR software). The individual in the integrated ticketing app with the appropriate permissions can go on to receive a task in the compliance automation platform—which can be synced with the ticketing system—that asks them to assign a new owner to that policy.

An example of how an assigned task can appear in Kertos
An example of how this task can appear in Kertos

Customer-facing AI agents

Ema lets you build AI agents to support countless tasks and workflows across teams.

To ensure their AI agents only perform actions that fall within the requester’s level of permissions, the AI agents use the integrated applications’ access controls.

For instance, if an employee is submitting a PTO request for someone else, the AI agent can determine that the employee doesn’t have permissions to do so in the integrated HR software. However, since the employee can submit PTO for themselves, the AI agent can facilitate this request in a matter of seconds.

An employee asking an AI agent to submit PTO on their behalf

Related: A guide to integrating AI agents with 3rd-party apps

Benefits of implementing API access controls

Here are just a few of the benefits that come with using API access controls:

Avoid harmful scenarios 

By only allowing authorized individuals to see confidential data and perform sensitive actions, you’re preventing significant security threats from taking place, from someone stealing an employee’s social security number to someone stealing a customer’s credit card information.

Comply with security frameworks 

Preventing unauthorized individuals from seeing personally-identifiable information (PII) doesn’t just let you avoid harmful actions by malicious actors—it also lets you follow key data privacy and protection regulations, including GDPR, HIPAA, ISO 27001, and more.

Meet enterprise requirements 

Many prospects—especially at large companies—will need and expect your product to offer access controls. By providing them across all supported integrations, you’ll gain a competitive advantage and increase your close rate.

Adopt it with ease via a unified API 

A unified API solution, which lets you add hundreds of integrations through a single, aggregated API, can support access controls across integration categories.

For example, Merge, the leading unified API solution, offers access controls for ticketing and file storage integrations, ensuring that leading SaaS providers can easily support integrations that meet enterprise companies' requirements.

A snapshot of the file storage integrations Merge supports
Merge supports access control lists (ACLs) across its supported file storage integrations

Best practices for using API access controls

To help you use API access controls effectively, you’ll need to consider and implement the following:

  • Incorporate access controls across your supported integrations. Even if a single customer adopts an integration that doesn’t use access controls, a security incident can arise that causes long-lasting reputational harm to your business. With that in mind, you should prioritize using it with all of your integrations
  • Test your access controls extensively before going live. Once you’ve implemented API integrations with access controls, test all permission levels internally to ensure they behave as expected
  • Outsource your integrations. Tasking your engineers with building and maintaining integrations is already a tall order—it can consume most of their time and distract them from core projects. Asking them to build access controls on top of those integrations only adds complexity, making the work even more time and resource-intensive

Integration solutions, like Merge, can take this work off their plates by offering integrations out-of-the-box that come with access control functionality.

{{this-blog-only-cta}}

“It was the same process, go talk to their team, figure out their API. It was taking a lot of time. And then before we knew it, there was a laundry list of HR integrations being requested for our prospects and customers.”

Name
Position
Position
Jon Gitlin
Senior Content Marketing Manager
@Merge

Jon Gitlin is the Managing Editor of Merge's blog. He has several years of experience in the integration and automation space; before Merge, he worked at Workato, an integration platform as a service (iPaaS) solution, where he also managed the company's blog. In his free time he loves to watch soccer matches, go on long runs in parks, and explore local restaurants.

Read more

What are API access controls? Plus tips for adopting them

Insights

6 Model Context Protocol alternatives to consider in 2025

AI

3 expert insights on building AI features successfully 

AI

Subscribe to the Merge Blog

Get stories from Merge straight to your inbox

Subscribe

Ready to add enterprise-grade integrations to your product?

Learn about all of the measures Merge takes to secure its 220+ integrations by scheduling a demo with their team.

Scheduling a demo

Get our best content every week

Our weekly newsletter provides the best practices you need to build high performing product integrations.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
But Merge isn’t just a Unified 
API product. Merge is an integration platform to also manage customer integrations.  gradient text
But Merge isn’t just a Unified 
API product. Merge is an integration platform to also manage customer integrations.  gradient text
But Merge isn’t just a Unified 
API product. Merge is an integration platform to also manage customer integrations.  gradient text
But Merge isn’t just a Unified 
API product. Merge is an integration platform to also manage customer integrations.  gradient text