This stage is about securing the access and operations surrounding each API, ensuring only those who should have access are able to make requests and publish messages. Security is about establishing an organization-wide approach to how API authentication works and how encryption is applied, as well as secrets, roles, and the way APIs are fuzzed and scanned for vulnerabilities. You must provide teams with everything they need to secure each API and the operations around it, consistently securing the expanding API landscape.

There are many layers of t security for producing and consuming APIs. Organizations are increasingly making security a priority earlier on in the API life cycle, instead of after an API goes live. This evolution is often described as shifting left or investing in security earlier in the life cycle and equipping API teams with proven approaches to delivering more secure APIs.

API security doesn’t stop at authentication and authorization of each API. It and should include data in transport, the operations around each API, and security concerns for both producers and consumers. A known API life cycle, combined with well-defined security practices, gets teams up to speed with what matters most for securing APIs.