Treat them accordingly.

3. Require Transport Layer Security for All API Traffic

While the use of HTTPS is a good first step, it’s not enough to protect all API traffic from eavesdropping and man-in-the-middle attacks. To ensure that sensitive data can’t be intercepted or modified in transit, organizations should require the use of transport layer security version 1.2 or 1.3 for all requests across their APIs (not just those over HTTPS). This will prevent attackers from hijacking communications with fake certificates and injecting malicious code into responses before they reach their intended targets on the client side of the connection
https://t.co/gn5j2ZKJIh