Web API security includes API access control and privacy, as well as the detection and countermeasures of attacks on APIs through API reverse engineering and the exploitation of API vulnerabilities. Top vulnerabilities are usually described in OWASP Documentation.

Because APIs are often available over public networks (access from anywhere), APIs are typically well documented or easily reverse-engineered. Also highly sensitive to denial of service (DDOS) type incidents, APIs are attractive targets for bad actors. An attack might include bypassing the client-side application in an attempt to disrupt the functioning of an application for other users or to breach private information. API security is focused on securing this application layer and addressing what can happen if a malicious hacker were to interact with the API directly.