Authentication for an API request

The invention claimed is: 1. A system, comprising: a plurality of computing nodes, each of which comprises at least one processor and a memory, wherein the plurality of computing nodes are configured to collectively implement: a local network usable to access a service provider environment offered by a service provider external to the local network; a first communication protocol for the local network to use to reach the service provider environment; a token service hosted on the local network to generate authentication material for inclusion with an API request for the service provider environment and to communicate the authentication material over a second communication protocol, the second communication protocol being unusable to communicate with devices external to the local network; and a client to receive the authentication material using the second protocol and to send the API request containing the authentication material to the service provider environment using the first protocol. 2. The system of claim 1 , wherein at least a portion of the local network is a virtual network operated by the service provider on behalf of a customer, and the token service is hosted on the virtual network. 3. The system of claim 1 , wherein the token service generates the authentication material based at least in part on a proximity of the client to the token service. 4. The system of claim 1 , wherein the token service transmits the authentication material with a restriction to limit receiving of the authentication material to clients inside of the local network. 5. A system, comprising: a client device to send an authentication material request for authentication material to a token service and configured to receive the authentication material from the token service over a second communication protocol unusable external to a local network of the client device, the client device being further configured to send an API request over a first communication protocol usable from the local network to reach a service provider environment when the authentication material is received, the API request including the authentication material to authenticate the client device to an authentication service for access to the service provider environment. 6. The system of claim 5 , wherein the client device is authenticated by the authentication service according to an authentication policy based on a network traversal of packets between the client device and the authentication service. 7. The system of claim 6 , wherein the network traversal is a Time To Live (TTL) value or a latency of the packets. 8. The system of claim 6 , wherein the authentication policy defines a network traversal restriction including a specification of a network route over which the API request is to be sent. 9. The system of claim 5 , wherein the authentication material is generated by the token service when the client device is within a predetermined number of hops from the token service. 10. The system of claim 5 , wherein the authentication material is carried by at least one packet that includes a time to live (TTL) value of a defined number of hops equal to a number of hops between the token service and a furthest location on a network hosting the token service. 11. The system of claim 5 , wherein the authentication material is carried by at least one packet that includes a time to live (TTL) value of a defined number of hops equal to a number of hops between the authentication service and a furthest location on a network hosting the token service. 12. A non-transitory computer readable medium comprising computer-executable instructions which, when executed by a processor, operate as a system for sending an API request, comprising a token service being operable to: receive a request for authentication material usable by a service provider; determine a network proximity of the request; generate the authentication material based on an authentication policy and the network proximity, the authentication policy including a network proximity restriction; and provide the authentication material in response to the request. 13. The computer readable medium of claim 12 , wherein the token service is hosted on a local network that is local to a client device from which the request is originated, and the token service provides the authentication material to the client device using a protocol that is non-routable outside the local network. 14. The computer readable medium of claim 12 , wherein the token service is operable to coordinate the authentication material with a remote authentication service external to a network hosting the token service. 15. The computer readable medium of claim 12 , wherein the authentication material is generated when a client device sends the request via a defined port. 16. A system for receiving an API request, comprising: a plurality of computing nodes, each of which comprises at least one processor and a memory, wherein the plurality of computing nodes are configured to collectively implement: an authentication service to receive a request to access a service, the authentication service being configured to obtain client proximity information associated with the request and further configured to grant the request based in part on the obtained client proximity information using a policy that includes client proximity based restrictions. 17. The system of claim 16 , wherein the authentication service is operable to receive a configuration API request to configure the policy used by the authentication service in granting the request, the configuration API request including an instruction to enable, disable or modify the policy. 18. A system as in claim 16 , further comprising: a policy data store for storing the policy for use by the authentication service in determining whether to grant access to the service by the client device; and the authentication service comprises an authentication module to receive the request and to grant the request based in part on the policy. 19. The system of claim 16 , wherein the authentication service is configured to reject the API request when a remaining TTL value of the API request is less than a predetermined value. 20. The system of claim 16 , wherein the authentication service is configured to reject the API request when a latency of the API request from the client device to the authentication service is greater than a predetermined value. 21. The system of claim 16 , wherein the authentication service is operable to enforce at least one restriction on a network path associated with the API request. 22. The system of claim 16 , wherein the client proximity information comprises authentication material vended by a token service on a network local to a client device from which the request originated.