Awesome list. What about for GraphQL APIs?

A much welcome article/resource, even if you are designing private/internal APIs.

I want to add a word of caution for the use of this terms…

I work as a Developer Advocate for Mobile and API Security and I see a lot the term of private APIs being used incorrectly. Bear in mind that an API is only private when is not exposed to the world wide web (only works in an intranet), and that is rarely the case.

Just because an API needs a subscription, is only by invite, and/or is not documented anywhere, etc, doesn’t make it private. From the moment that a mobile app or web app uses the public internet to reach the API server, your API is public not private, because all it takes is to reverse engineer the mobile app or the web app to discover the API endpoints and then workout how they work in order to automate exploits against it.

Open source tools also exist to scan all domains and their sub-domains in order to find hidden APIs and then try to automatically fuzz them in order to try to find a way in, and you can assert this by deploying an online server with a public domain pointing to it and then tail the logs and you will see that just after a few seconds/minutes you can see strange entries in your logs.