API Security: The Hidden Doors of the Internet

Incoming transmission

[Fictional scenario based on real attack patterns] The Coastal Credit Union breach started with an API endpoint that returned a full customer object — including internal fields the mobile app never displayed. The attacker called it directly, bypassing the UI entirely, and pulled 200,000 account records in two hours. Nobody noticed for six weeks.

APIs are everywhere now. They're how your app talks to the server, how services integrate with each other, how mobile apps work at all. They're also the most common attack surface in modern applications — more exposed than web interfaces, often less hardened, and frequently forgotten about once deployed.

This manual covers APIs from first principles: what they are, how authentication works, what the OWASP API Top 10 actually means in practice, how attackers move through them, how to lock them down, and what happened when major companies got it badly wrong.

6 chapters. No prior API experience required. Plain English throughout.

— Commander Shepard