Last updated: April 29, 2026
The API is your backend’s public interface. If your mobile app or SPA depends on the API, every endpoint is exposed to the internet whether you intended it or not. Yet developers routinely treat APIs as “internal” because the API documentation is not public. This mental-model error is where most modern web compromises start.
Why this happens
APIs grow organically. An endpoint is added for the mobile app. Another for the web SPA. Another for a back-office tool. Another for a third-party integration. Each has its own authentication assumptions, its own authorization model, its own rate limit. Nobody maintains the canonical inventory. Security reviews cover the “main API” but miss the half-dozen auxiliary ones.
Worse: mobile apps often call endpoints that web apps don’t. Those endpoints were designed assuming “the mobile app is the only caller and we can control the mobile app’s behaviour.” Neither of those assumptions is true once the mobile app is in the wild.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.