Zero trust API design

Principles

Assume breach. Every call must be authenticated, authorized, encrypted, and rate limited no matter the network zone. Define clear trust boundaries and avoid shared secrets across services.

Authentication patterns

• Use OAuth2/OIDC for user-facing flows; rotate refresh tokens and enforce MFA for admins.
• Use mTLS or workload identities for service-to-service calls.
• Bind scopes to operations in your OpenAPI file; avoid catch-all scopes.

Authorization and access control

Prefer role- or attribute-based access control with least privilege. Document which claims are required per endpoint. Use resource-scoped tokens and enforce audience and issuer checks.

Verification and monitoring

Add rate limits and anomaly detection at the edge. Return RFC 7807 errors so clients get consistent responses. Scan specs with the static API security scanner to catch missing security schemes.