Need help with your APIs? I offer API discovery, governance & evangelism services. Explore services →
API Evangelist API Evangelist
Learnings
Guidance
Toolbox
Alignment
API Evangelist LLC

API Authorization Is Properly Defined and Enforced

All APIs must have clearly defined authorization models that control what authenticated consumers can access and perform, using role-based or attribute-based access control to ensure that permissions are granular, auditable, and consistently enforced across all API operations.

Policies

Authorization (Security)

Require that every API defines and enforces authorization explicitly, so I want each operation to declare what scopes, roles, or permissions it demands and to check them on every request, not just ...

Authentication

Require details regarding how authentication is handled as part of API security.

OAuth (Authentication)

Require that OAuth usage meets standards set by authentication policies.

JWT (Authentication)

Require JWT usage meets standards set by authentication policies.

Keys (Authentication)

Require the API key usage meets standards set by authentication policies.

Scopes (Authentication)

Require Oauth scopes meets standards set by authentication policies.

Operation Security

Requiring that all operational security meets the policy standards.

OpenAPI Security

Requiring that OpenAPI security meet the policy standards.

Experiences

Access

Gaining the necessary access to effectively use an API is often more challenging than it appears. Intentional and unintentional barriers can create friction in discovering and onboarding with an AP...

Security

API security is a top priority for any enterprise, with even higher standards for externally available APIs. However, security doesn’t end with the APIs an enterprise produces—it also applies to co...

Trust

Establish trust with API consumers will evolve and build over time, and is something that can be lost in a very short period of time. Trust will depend on other experiences like quality and reliabi...

Reliability

If an API isn’t reliable, consumers will eventually look for alternatives. Reliability starts with the platform and infrastructure where the API is deployed, but it also depends heavily on the pace...

Compliance

Compliance is the experience of meeting the legal, regulatory, and internal obligations that come with operating an API. For many teams it feels like a burden bolted on at the end, but the reality ...