API Security Basics for AI-Built Apps

Your API endpoints are the front door to your data. If they're unprotected, anyone can access, modify, or delete user data — even if your login page looks secure. Most AI coding tools create API routes without authentication, validation, or rate limiting. Fixing this is the single most important security improvement you can make.

Every private API endpoint must verify the caller's identity. Check for a valid session token or JWT on every request. Reject unauthenticated requests with a 401 status code. Don't just check if a token exists — verify it hasn't expired and belongs to a real user. Use middleware to apply auth checks consistently across all routes.

Never trust data from the client. Every request body, query parameter, and URL parameter should be validated before use. Use a library like Zod to define schemas and reject invalid input. This prevents SQL injection, XSS attacks, and data corruption. Validate on the server — client-side validation is for UX, not security.

Without rate limiting, an attacker can hammer your API with thousands of requests per second — brute-forcing passwords, scraping data, or running up your hosting bill. Add rate limits to all public endpoints, with stricter limits on sensitive endpoints (login, signup, password reset). Most hosting platforms offer built-in rate limiting.

Cross-Origin Resource Sharing (CORS) controls which domains can call your API. In development, it's common to allow all origins (*). In production, restrict it to only your frontend domain. Otherwise, anyone can create a website that calls your API as if it were your app.