Use HTTPS for all API traffic, and block older versions of TLS and the insecure SSL protocol.

2. Require user authentication before giving users access to information or performing any process. Publicly available APIs are an exception, but all other APIs should be limited to authenticated users, especially those available only internally. One of the simplest ways to provide authentication is through API keys, which work as a user’s password. Every time a user makes a request, an API key should be sent to verify their identity and level of access..

3. Protect API Keys by safeguarding them the same way you secure passwords in general (i.e., use strong encryption)
https://t.co/lWbrGFFtF9