How do you secure APIs deployed in Anypoint Platform?

Securing APIs in Anypoint Platform relies on enforcing authentication and authorization at the API gateway, protecting data in transit, and safeguarding credentials. In API Manager you attach security policies to the API or its proxy, using mechanisms like OAuth 2.0, JWT, or API key validation to confirm who is calling the API. Transport security is provided by TLS, with the option to enable mutual TLS (mTLS) to verify both client and gateway identities. Credentials should be stored securely in the platform’s Credential Store or another secure secret management solution to avoid hard-coded secrets and enable rotation. When these layers are applied to the API, security is consistently enforced across environments and calls are properly authenticated, authorized, and protected in transit. Relying only on a network firewall misses API-level controls, and security won’t be effective if configured only on the client side.