A practical checklist for reviewing API authorization, authentication, object-level access control, sensitive data exposure, rate limits, and business-critical API workflows.
API Security Review Areas
Use these checks to review high-risk SaaS API behavior before a release, integration launch, or security review.
Authentication
- Require authentication for private endpoints
- Reject expired or malformed tokens
- Validate session/token scope server-side
- Avoid exposing authentication state through verbose errors
- Protect login, reset, and invite flows from abuse
Authorization
- Enforce authorization on every endpoint
- Do not rely on frontend role checks
- Validate role permissions server-side
- Test standard, manager, admin, and invited user roles
- Recheck authorization after workflow state changes
Object-Level Access Control
- Validate object ownership on every request
- Test IDOR/BOLA by changing object IDs
- Confirm cross-tenant records return 403 or 404
- Protect exports, reports, invoices, and attachments
- Add regression tests for object ownership
Sensitive Data Exposure
- Remove unnecessary fields from API responses
- Avoid returning internal IDs unless required
- Prevent leakage of emails, billing data, tokens, metadata, and hidden role fields
- Review nested API and GraphQL responses
- Validate error responses for sensitive details
Rate Limiting and Abuse Protection
- Rate-limit login, signup, reset, invite, export, and search flows
- Prevent enumeration through response differences
- Add throttling for expensive API operations
- Monitor repeated object-ID probing
- Apply abuse controls per user, IP, tenant, and token
Business Logic
- Validate server-side workflow state
- Prevent repeated use of one-time actions
- Protect approval, invite, billing, export, and admin workflows
- Test bypasses using direct API calls
- Ensure permissions cannot be upgraded through request manipulation
GraphQL API Checks
- Disable introspection if not required
- Validate authorization on queries and mutations
- Check nested resolver access control
- Test create/update/delete mutations
- Prevent excessive query depth and data exposure
Logging and Retesting
- Log failed authorization attempts
- Alert on repeated cross-tenant access attempts
- Document remediation ownership
- Retest fixed endpoints
- Add automated regression coverage for critical access-control paths
Common API Security Mistakes
Frontend-only authorization
Role checks in the UI without matching server-side enforcement.
Missing ownership checks
Endpoints validate login state but not object ownership or tenant boundaries.
Overly broad API responses
Responses include internal fields, hidden roles, metadata, or unrelated records.
Unsafe export endpoints
Bulk downloads skip the authorization checks used by normal views.
GraphQL resolver leakage
Nested resolvers return restricted objects after a permitted parent query.
Weak invite and role workflows
Invite, approval, or role changes can be manipulated through direct API calls.
When to Request a Manual Review
Automated scanners can help identify obvious misconfigurations, but they often miss IDOR/BOLA, tenant isolation issues, workflow abuse, role boundary failures, business logic flaws, and GraphQL authorization gaps.
A manual API review is useful when an API handles customer data, tenant-specific resources, billing records, exports, admin workflows, or product-critical state changes.
Need a Manual API Security Review?
Share the API, release, or workflow you want reviewed. THF will help identify authorization flaws, sensitive data exposure, and product-specific abuse paths.