All APIs must have clearly defined authorization models that control what authenticated consumers can access and perform, using role-based or attribute-based access control to ensure that permissions are granular, auditable, and consistently enforced across all API operations.
API Authorization Is Properly Defined and Enforced
Policies
Authorization (Security)
Require that every API defines and enforces authorization explicitly, so I want each operation to declare what scopes, roles, or permissions it demands and to check them on every request, not just ...
Authentication
Require details regarding how authentication is handled as part of API security.
OAuth (Authentication)
Require that OAuth usage meets standards set by authentication policies.
JWT (Authentication)
Require JWT usage meets standards set by authentication policies.
Keys (Authentication)
Require the API key usage meets standards set by authentication policies.
Scopes (Authentication)
Require Oauth scopes meets standards set by authentication policies.
Operation Security
Requiring that all operational security meets the policy standards.
OpenAPI Security
Requiring that OpenAPI security meet the policy standards.
Experiences
Access
Gaining the necessary access to effectively use an API is often more challenging than it appears. Intentional and unintentional barriers can create friction in discovering and onboarding with an AP...
Security
API security is a top priority for any enterprise, with even higher standards for externally available APIs. However, security doesn’t end with the APIs an enterprise produces—it also applies to co...
Trust
Establish trust with API consumers will evolve and build over time, and is something that can be lost in a very short period of time. Trust will depend on other experiences like quality and reliabi...
Reliability
If an API isn’t reliable, consumers will eventually look for alternatives. Reliability starts with the platform and infrastructure where the API is deployed, but it also depends heavily on the pace...
Compliance
Compliance is the experience of meeting the legal, regulatory, and internal obligations that come with operating an API. For many teams it feels like a burden bolted on at the end, but the reality ...