> For the complete documentation index, see [llms.txt](https://docs.opsmx.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.opsmx.com/code-to-cloud-security-and-scanners/dynamic-testing-and-api-security/api-security.md). # API Security API Security protects the APIs that serve as the backbone of modern application communication — ensuring that service-to-service interactions, external integrations, and user-facing endpoints are secured against unauthorized access, data leakage, injection attacks, and abuse. APIs are a major attack surface in microservices architectures. A single misconfigured or unprotected API endpoint can expose sensitive business logic, user data, or internal services. ## **Why API Security Is Used in OpsMx** OpsMx uses API Security in Delivery Shield to: * **Discover shadow and unmanaged APIs** — identifying endpoints that were never formally documented or secured * **Enforce authentication and authorization** — validating OAuth, JWT, and API key controls on every endpoint * **Detect input validation failures** — preventing injection attacks via malformed or malicious API inputs * **Protect against data exposure** — identifying APIs that return more data than the caller is entitled to * **Test GraphQL, REST, and SOAP APIs** — imported via OpenAPI/Swagger, WSDL, or GraphQL introspection ### **Key Aspects** | Control | Description | | ------------------------------------- | ----------------------------------------------------------------- | | **Authentication & Authorization** | OAuth 2.0, JWT validation, API key enforcement | | **Schema Validation** | Prevents malformed or malicious inputs at the API boundary | | **Rate Limiting & Abuse Protection** | Detects and blocks API abuse patterns | | **Sensitive Data Exposure Detection** | Flags APIs returning PII, credentials, or sensitive business data | | **API Inventory & Discovery** | Tracks all known and shadow API endpoints across the environment | --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.opsmx.com/code-to-cloud-security-and-scanners/dynamic-testing-and-api-security/api-security.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.