Need help with your APIs? I offer API discovery, governance & evangelism services. Explore services →
API Evangelist API Evangelist
Learnings
Guidance
Toolbox
Alignment
API Evangelist LLC

Security

API security is a top priority for any enterprise, with even higher standards for externally available APIs. However, security doesn’t end with the APIs an enterprise produces—it also applies to consuming APIs, including managing authentication, encryption, and other security practices. Building a strong API security posture requires ongoing investment and effort. The overall tone of API operations is shaped by security practices, and it becomes much harder to enforce security effectively if addressed only when APIs are exposed via gateways. Shifting security practices left—embedding security early in the design and development process—ensures product and engineering stakeholders are actively involved. API security depends not only on authentication, encryption, and endpoint scanning but also on thoughtful design and development, requiring a balanced, lifecycle-wide approach.

Policies

Agent-Scoped Authentication

I require that APIs support authentication credentials scoped specifically to agents, so that an autonomous consumer acts under its own narrowly-bound identity with least-privilege scopes rather th...

Data Privacy and PII Classified

I require that every schema property carrying personally identifiable information is explicitly classified as such in the API definition, so that PII is visible to governance, tooling, and downstre...

Dependency SBOM Maintained

Require that every API maintain a current software bill of materials enumerating the libraries, services, and versions it depends on. I want a machine-readable SBOM and dependency manifest kept in ...

Governance

Governance standardizes APIs across teams using a common platform and lifecycle, applying governance policies and rules, and keeping everyone moving in the same direction using common guidance.

Abuse Prevention (Security)

Require that every API is designed to resist abuse and misuse, so I want throttling, quotas, anomaly detection, bot and scraping defenses, and sensible request limits treated as part of the contrac...

Authorization (Security)

Require that every API defines and enforces authorization explicitly, so I want each operation to declare what scopes, roles, or permissions it demands and to check them on every request, not just ...

CORS (Security)

Require that every browser-facing API sets a deliberate, least-privilege CORS policy, so I want explicit allowed origins, methods, and headers rather than a lazy wildcard slapped on to make an erro...

Data Classification (Security)

Require that every API classifies the data it moves and applies protections that match that classification, so I want fields and payloads labeled as public, internal, confidential, or regulated, wi...

Input Validation (Security)

Require that every API validates all incoming data against its schema before acting on it, so I want types, formats, lengths, ranges, and required fields checked at the edge and anything that does ...

Transport (Security)

Require that every API is served exclusively over encrypted transport, so I want TLS enforced everywhere, plain HTTP either redirected or refused, weak protocols and ciphers disabled, and HSTS in p...

Security

Providing an overview of security practices for an API, including details covered as part of authentication and access management, but also security testing and certifications that matter to API co...

Standards

Internet, industry, market, and government standards help make APIs more consistent, but also save time and money for both producer and consumer, while keeping APIs better aligned with existing ind...

Strategies

API Authentication Is Standardized

All APIs must use standardized authentication mechanisms including OAuth, JWT, and API keys with properly defined scopes, ensuring that security is consistently implemented and that consumers have ...

API Authorization Is Properly Defined and Enforced

All APIs must have clearly defined authorization models that control what authenticated consumers can access and perform, using role-based or attribute-based access control to ensure that permissio...

API Data Is Classified and Protected

All data exposed through APIs must be classified by sensitivity level, with appropriate protections applied based on classification, ensuring that PII, financial data, and other sensitive informati...

API Dependencies Have an SBOM

I want a software bill of materials for the APIs and services we depend on, so that we always know what is actually in the systems we ship. Every external API we consume is a dependency, and if we ...

API Responses Must Be Meaningful and Consistent

All API responses should follow Internet, industry, and enterprise standards, providing a meaningful and consistent communication and structure, always providing what was intended for API consumers...

APIs Always Have Well-Defined Owners and Stakeholders

Each API should ideally have a dedicated product as well as an engineering owner, with other stakeholders across the API lifecycle defined in an easy to access human readable location, but also def...

APIs Are Aligned with Industry Using Standards

All APIs must be using relevant Internet, industry, and government standards available, ensuring to properly research areas of operations to see what existing standards may exist before the creatio...

APIs Are Made Available Through a Platform Gateway

All APIs must be deployed through a common platform gateway established for the domain, line of business, or team, leveraging development, staging, and production environments, and a common set of ...

APIs Are Protected from Abuse and Misuse

All APIs must have abuse prevention mechanisms beyond basic rate limiting, including throttling, quotas, circuit breakers, and bot detection, ensuring the stability and availability of APIs for leg...

APIs Earn and Maintain Consumer Trust

All APIs must demonstrate trustworthiness through transparent service level commitments, consistent deprecation policies, reliable performance, proper security, and clear legal terms, building the ...

APIs Must Be Actively Governed

All APIs being produced must be governed as part of the overall strategy, using the platform, as well as a common API lifecycle, applying policies and rules, and keeping teams moving in the same di...

APIs Must Reusable Whenever Possible

The components of any API should be made modular and reusable whenever it makes sense to the business use case, keeping schema, parameters, examples, error responses, and other common parts of an A...

Data Should Be Well-Defined and Validated

The schema for data that is sent and received via API should always be well-defined, possess a well-known shape, and always be validated, ensuring that digital resources and capabilities are what t...

Operations Must Always Be Secure

Individual API operations should always be properly secured during design, develop, and run-time, making sure data, credentials, logs, and all other related resources are properly secured and opera...

Operations Must Be Useful and Consistent

All individual API operations must be useful and follow consistent Internet, industry, and enterprise standards, providing a simple and relevant HTTP API operation that does one thing and does it w...