Model Context Protocol (MCP) has, almost overnight, become a mainstay for developer tools and enterprise AI workflows. Anthropic open-sourced MCP in late 2024 and later donated it to the recently established Agentic AI Foundation (AAIF), a Linux Foundation project. As AI agents and large language model (LLM) applications start to put MCP servers into use, ...
#api governance
27 posts
4 Jun
2 Jun
A developer can ship an MCP server in an afternoon. Getting that same server running in regulated production, with credentials provisioned, access controls enforced, and security sign-off obtained, takes weeks. This post walks through the six challenges teams hit when scaling enterprise MCP deployments from prototype to production, the fix for each, a posture assessment ...
28 May
Often, enterprises end up treating all their APIs roughly the same. They’re authenticated, maybe rate-limited, and hopefully behind a gateway, but ultimately, they’re lumped together as part of a collection of APIs. While that flatness makes sense from a product management perspective, it poses a problem for risk management. A payment processing API and a ...
26 May
AI agents are pieces of software that autonomously perform actions to achieve a goal or objective. They operate in loops where they analyze input, such as prompts, context, tools, and memory. They then plan, take actions, and feed the output back into the loop to decide how to proceed. In this way, agents can dynamically ...
19 May
API keys often give a false sense of security: it seems like they protect access to APIs. Yet, there are plenty of API key security risks. For one, they’re simply static strings that are often exposed, leaked, and end up helping attackers. As such, leaky API keys are at the heart of many of today’s ...
14 May
The age of AI is well upon us. According to research by Microsoft, 24.7% of the working age population in the Global North is using AI, paired with 14.1% of the Global South. As AI adoption increases, organizations are increasingly finding their minds focused on not just the potential upside of AI, but on the ...
12 May
In many existing systems, enterprise data uses only basic security protections. For example, the backend of a web application might call an API and use an API key to secure the request. The solution may seem secure enough, since the web application only calls a subset of API endpoints and the user seems constrained by ...
6 May
Between August 9 and August 17, 2025, malicious actors were able to export data from over 700 organizations. To make matters worse, the breach, referred to as UNC6395, was caused by insecure tokens leaked by a third-party app called Salesloft. As a representative from Google put it in a statement, “After the data was exfiltrated, ...
5 May
“REST is dead.” “MCP will be gone within a year”. “Tooling is the new sprawl layer.” These are all takes we’ve read recently on the issues people are facing when it comes to connecting AI to APIs. Kelsey Hightower, for example, recently opened some interesting debate around the future of REST and MCP on Bluesky ...
11 Mar
AI introduces many exciting developments in the software industry. However, the uncontrolled use of generative AI has the potential to undermine our mission to provide a platform for authentic voices in the API community. For this reason, we are clarifying our AI usage policy. This policy applies to anyone who contributes content to Nordic APIs, ...
10 Mar
APIs are no longer just infrastructure holding organizations together. They’re business products in their own right. As Postman put it in the 2024 State of the API report, “62% of respondents report working with APIs that generate income. This signals the rise of the API-as-a-product model, where APIs are designed, developed, and marketed as strategic ...
5 Mar
Most API teams I talk to are serious about the front door. They have a documented API surface, versioning rules, code review, and a continuous integration and continuous delivery (CI/CD) pipeline that runs tests and security checks before anything ships. That’s all good hygiene. But the incidents that turn into painful postmortems often start somewhere ...
24 Feb
When building agentic AI systems that interact with APIs and other services, securely managing JSON Web Tokens (JWTs) becomes a critical part of the architecture. Unlike traditional web applications, agentic AI can operate autonomously, invoking APIs, making decisions, and passing sensitive information without direct human supervision. These nuances create unique authorization challenges around how JWTs ...
18 Feb
As APIs scale and organizations structure complex systems, it’s almost inevitable that some enterprises are going to end up with more than one API gateway. Sometimes this is intentional — especially when those gateways represent different environments, segmented data services across regions, or different teams and thus different focuses. More often, however, this is just ...
10 Feb
A product manager at a mid-sized SaaS company notices a familiar pattern. The mobile app team is blocked waiting for a backend change, the data team has built its own undocumented endpoints to move faster, and the DevOps team is fielding late-night incidents caused by services calling each other in unexpected ways. Each team is ...
4 Feb
It is no longer a secret that AI and APIs are intimately connected. Whether it’s building foundational infrastructure or powering MCP servers, APIs are the essential building blocks. However, for AI to deliver a positive impact, these APIs require rigorous governance and management. APIs serve as the technical key to an AI initiative and provide ...
29 Jan
Agentic AI is an incredibly powerful frontier technology, and it’s actively changing the tech landscape day by day. One of the most significant changes is that APIs are no longer solely called by deterministic code developed and reviewed by humans. Instead, APIs are being actively and frequently called, explored, linked, and even adapted by autonomous ...
14 Jan
In the age of AI, there is a worrying trend of simply letting AI "take care of it." You have invested in an agentic system, so when you need something done, why not just let the AI agent make the API request? After all, it is just a machine making a machine request — right? ...
13 Jan
The API community has been known to be on the lookout for shadow APIs for a number of years, as they are a common source of cybersecurity risks like unauthorized access and data leaks. It does not matter how robust your cybersecurity is when an endpoint falls outside of your protective barriers. Once an API ...
8 Jan
In the software field, one of the most commonly referred to and leveraged resources is the Top Ten list from OWASP. This is for good reason — OWASP stands as a platform- and vendor-agnostic voice that can highlight application security risks in a potentially more meaningful way than the litany of whitepapers and reports issued ...
7 Jan
In OpenAPI, the industry standard API specification, small steps can have major implications. While OpenAPI 3.2.0 may not reinvent the wheel, as it still follows the same architecture and uses the JSON Schema Specification Draft 2020-12 implemented in OpenAPI 3.1.0, OpenAPI Specification v3.2.0 still has enough changes to warrant excitement while remaining compatible with older ...
23 Dec 2025
Authorization Exchange, or AuthZEN for short, is a new specification from the OpenID Foundation that aims to bring clarity and standardization to authorization. If OAuth 2.0 and OpenID Connect brought us standardized protocols for authentication and identity, AuthZEN aims to do something similar for fine-grained authorization. It defines a shared, interoperable way for applications to ...
22 Dec 2025
Agentic AI has been one of the hottest buzzwords of 2025, with developers and business owners racing to unlock the vast potential of AI. Agentic AI is a vital link in this technological chain, as it allows AI systems to make decisions and implement actions with little to no human input necessary. If you have ...
28 Oct 2025
It’s not an overstatement to say that the health and fitness space has been transformed in the past couple of decades. Thanks to the introduction of wearables and trackers, keeping tabs on one’s progress no longer means manually entering weights and reps into a chalky old notebook between sets. Fitness has been streamlined, incentivized, and ...
8 Oct 2025
APIs have a reputation for being the weakest link in an enterprise’s cybersecurity. This can become a self-fulfilling prophecy, as APIs’ supposed vulnerabilities make them a popular target for potential attackers and cybercriminals. This can cause all manner of security issues, as APIs can be made to divulge a wealth of sensitive information using valid ...
7 Oct 2025
You may have heard it repeatedly that “API sprawl is the new shadow IT.” But what does that actually mean? Where is this problem coming from? What does this practically mean in the age of AI? And more importantly, how pervasive is this problem across the API industry? Today, we’re going to look at the ...
3 Oct 2025
In January 2024, the Centers for Medicare and Medicaid Services updated The CMS Interoperability and Patient Access Act. The new revision outlines requirements and specifications for what information medical providers need to provide, as well as how it should be formatted to ensure API security and data compliance. This is towards the goal of improving ...