<![CDATA[Microservices architecture improves scalability and flexibility in modern distributed systems, yet it simultaneously widens the attack surface through decentralized service communication. Many existing implementations rely primarily on token validation without structured service-level authorization enforcement, leaving systems exposed to privilege escalation vulnerabilities. This study designed and evaluated a layered security model for a RESTful Application Programming Interface built with the Go Echo framework. The proposed approach combines JSON Web Token authentication using asymmetric cryptography with a token versioning mechanism, and pairs Role-Based Access Control with Attribute-Based Access Control within a sequential middleware pipeline. The methodology covered system architecture design, middleware implementation, structured security testing, and response time analysis. All simulated unauthorized access scenarios — including vertical and horizontal privilege escalation attempts — were successfully blocked. The average response time under the fully secured configuration measured 24.9 ms, indicating that the overhead introduced by the layered middleware remains practically acceptable. These findings suggest that separating authentication and authorization at the service level produces measurable security gains without meaningfully degrading system performance in microservices-based REST API applications.]]>
