Treat them as such.

3. Use a Secure Communication Channel

The most common way to implement API security is through the use of HTTPS, which encrypts all traffic between users and the API endpoint using TLS or SSL protocols. However, some organizations may be concerned about performance issues that can arise from implementing encryption on every request and response in their APIs. In these cases, it’s possible to use an encrypted communication channel only for sensitive data by leveraging a technique called selective encryption . This approach uses one set of keys for normal requests and another for those containing sensitive information like credit card numbers or personally identifiable information (PII)
https://t.co/U5Nh07g1JR