# API Review Checklist > **Intro:** Use this checklist for new endpoints, changed contracts, admin APIs, partner APIs, and webhook-like workflows. ## Best time to use this checklist Use it during design review, before exposing routes externally, and before adding new privileged or customer-data operations. ## Stop-the-line conditions * missing server-side object ownership checks; * weak or inconsistent auth between related routes; * no controls for resource consumption or abuse-sensitive flows; * external integration trust assumptions without validation. ## Text-first review prompts * How does the API authenticate callers, and what identities exist? * Where are object-level and function-level authorization enforced? * Can a caller enumerate identifiers, infer state, or over-fetch data? * What are the rate limits, quotas, or anti-automation controls for sensitive flows? * What logs capture auth failures, object-owner mismatches, admin actions, and unusual consumption? * Does this API trust data from another service or third party without verifying it? ## Evidence table | Control area | What to verify | Typical evidence | | -------------- | ---------------------------------------------------- | ---------------------------------------------- | | Authentication | Strong auth model and token handling are documented | OpenAPI notes, auth middleware, gateway policy | | Authorization | Object and function authorization happen server-side | service code, tests, review note | | Abuse controls | Sensitive business flows have limits or friction | rate-limit config, bot control notes | | Inventory | The route is discoverable and owned | API inventory, repo ownership, runbook | | Telemetry | The API emits useful security and operational events | access logs, denial logs, dashboard | ## Common misses * confusing route auth with object auth; * relying on the client to hide or block forbidden actions; * forgetting to review bulk or export endpoints; * failing to think about scripted abuse, not just single-request abuse. ## Related pages * [API Authentication and Authorization](/architecture-api-crypto-and-identity/index/api-authentication-and-authorization.md) * [Rate Limits, Quotas, Friction, and Abuse Detection](https://github.com/D3One/Product-Security-Gitbook/blob/main/19-business-logic-abuse-and-product-abuse/rate-limits-quotas-friction-and-detection.md) * [Worked Example API Review Lab](https://github.com/D3One/Product-Security-Gitbook/blob/main/22-learning-paths-and-labs/worked-example-api-review-lab.md) \---*Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.product-security.expert/learning-labs-interview-and-templates/index-3/api-review-checklist.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.