Replay attacks, also known as playback attacks, are network attacks in which valid data transmissions (supposed to be once only) are repeated many times (maliciously) by the attacker who spoofed the valid transaction. While a server is expecting a valid transaction, it will not have any doubts as to whether requests are valid transactions. However, these are a masqueraded request and lead to catastrophic effects for clients:

The previous diagram depicts a replay attack example where the legitimate user sends a valid request, but the attacker spoofs it and resends/replays it to the APIs.

As RESTful APIs are stateless, the chances of getting those APIs into replay attacks are high (they're an easy target). So, it is evident that API designers/developers need to have countermeasures in their APIs for all replay attacks. Protection measures include a one-time password with session identifiers, time-to-live (TTL) measures, MAC implementation on the client side, and including timestamps in requests, along with secure protocol such as Kerberos protocol prevention, secure routing, and the challenge-handshake authentication protocol (CHAP).