API security is essential. If there's any manipulation allowed on APIs, the results may be catastrophic. Here's an article that enumerates all the things an API developer has to minutely make in order to arrive at impenetrable and unbreakable APIs: https://dzone.com/articles/top-5-rest-api-security-guidelines. First, the identification and authentication are being performed in order to empower users to access RESTful APIs. Next in line is none other than authorization. The RESTful API design has to be done in such a way that it's possible to establish and enforce authorization rights. Also, bringing the correct changes into authorization policies/rules also has to be part of the API design. The rights-based access of resources has to be made mandatory.

It's API designer/developer responsibility to ensure the design is mandating the API key or session token validation for the specific resource collection and action. For an example, if there is an API exposed for a book, then allowing any user to delete the entries is not prudent.. But it's OK to allow anyone to get a book catalogue entry. Further down the line, the session token or API key has to be embedded in the message body or sent as a cookie to diligently protect privileged collections or actions from any unauthorized use.