Platform engineering API governance

API governance for platform engineering defines how APIs are designed, published, and consumed across an organization. It connects ownership, interface contracts, and security expectations so teams can move independently without degrading reliability or security posture. Governance produces a clear boundary between what teams can change and what must be coordinated centrally.

Without explicit governance, teams publish APIs with weak authentication, missing versioning, and inconsistent authorization models. Ad hoc endpoints proliferate, sensitive fields are over-exposed, and debugging becomes difficult because interface semantics and security schemes are undocumented. These gaps increase integration risk and make automated compliance checks unreliable.

• Inconsistent authentication mechanisms across services
• Missing or incorrect API versioning and deprecation policy
• Over-permissive CORS and unsafe HTTP methods exposed
• Lack of centralized inventory leading to shadow APIs
• Insufficient observability into who is calling which endpoint

A robust workflow starts with an inventory of existing APIs, followed by contract validation against defined security and operational rules. Teams then verify authentication, authorization, and input constraints before publishing. Continuous monitoring ensures that changes are tracked and regressions are surfaced quickly, enabling data-driven decisions rather than periodic audits.

middlebrick scan https://api.example.com/openapi.json --output json

The scan parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, compares spec definitions to observed behavior, and reports deviations such as undefined security schemes or deprecated operations.

middleBrick is a black-box API security scanner that runs in under a minute using only read-only methods. It maps findings to OWASP API Top 10 (2023), PCI-DSS 4.0, and SOC 2 Type II controls, providing prioritized remediation guidance without requiring code access or SDK integration.

• Authentication bypasses and JWT misconfigurations
• Broken object level authorization and IDOR
• Privilege escalation and role/permission leakage
• Property over-exposure and mass-assignment surfaces
• Input validation issues including dangerous CORS and methods
• Rate limiting detection and oversized response risks
• Data exposure including PII and API key patterns
• SSRF probes against URL-accepting parameters
• LLM/AI adversarial probes across Quick, Standard, and Deep tiers

Authenticated scanning supports Bearer, API key, Basic auth, and cookies, gated by domain verification to ensure only domain owners can scan with credentials. The tool enforces a strict header allowlist and does not execute destructive payloads.

Integrations include a web dashboard for tracking score trends, a CLI for local runs, a GitHub Action for CI/CD gating, an MCP server for AI coding assistants, and a programmable API for custom workflows. Continuous monitoring in Pro tiers provides scheduled rescans, diff detection, and HMAC-SHA256 signed webhooks.

middlebrick scan https://api.example.com/openapi.yaml --auth-type bearer --auth-token <token> --output text