Enterprises often treat all APIs with the same security posture, but different APIs carry radically different risk profiles. A five-tier taxonomy helps classify APIs by risk: (1) APIs exposing sensitive/regulated data like PII, health, or financial data; (2) APIs with write privileges that can mutate state and enable privilege escalation; (3) APIs triggering infrastructure operations like compute, builds, or container orchestration; (4) high-volume data APIs vulnerable to DDoS and data harvesting; and (5) third-party/partner integration APIs that expand the attack surface through supply chain exposure. Each tier has distinct threat vectors and mitigation strategies, from intent-based authorization and step-up authentication to zero-trust networking and enforced pagination limits. The recommended approach is dynamic authorization — applying proportional security controls based on each endpoint's blast radius rather than treating all APIs equally.
Table of contents
Tier 1: APIs that Expose Sensitive or Regulated DataTier 2: APIs with Write PrivilegesTier 3: APIs That Trigger Infrastructure OperationsTier 4: High-Volume Data APIsTier 5: Third-Party and Partner Integration APIsMoving Towards Dynamic AuthorizationAI SummarySort: