The access model breaks first. If an API can return customer records without authentication, rate limiting, or scoped authorisation, it becomes a mass-retrieval path rather than a controlled interface. That exposes organisations to scraping, fraud, privacy harm, and regulatory scrutiny because the trust boundary was never enforced.
Why This Matters for Security Teams
A public customer-data API is not just an exposure issue, it is a boundary failure. When authentication, rate limiting, and scoped authorisation are absent, the interface stops behaving like a controlled service and starts behaving like an anonymous data feed. That turns every integration mistake, leaked endpoint, or forgotten test route into a direct path to regulated data.
The operational risk is broader than classic data theft. Attackers can enumerate records, automate scraping, pivot into account takeover workflows, and use the exposed API as a reliable source for fraud and identity abuse. NHI Management Group’s research shows that only 5.7% of organisations have full visibility into their service accounts, which helps explain why hidden exposure often persists until incident response or a customer complaint forces discovery. The same pattern appears in public-service failures such as the McDonald's McHire AI Chatbot Default Credentials case, where weak access assumptions became a data exposure problem.
For security teams, the issue is not whether the API is intended for customers, partners, or internal tooling. The real question is whether the trust boundary is technically enforced every time the endpoint is called. In practice, many security teams encounter mass-retrieval abuse only after data has already been indexed, copied, or sold, rather than through intentional testing.
How It Works in Practice
The safe operating model for a customer-data API starts with explicit identity checks, then moves through authorisation and abuse controls. A request should be tied to a known principal, constrained to a specific scope, and evaluated at runtime against the requested resource and action. That is consistent with the NIST Cybersecurity Framework 2.0 emphasis on access control, monitoring, and resilience.
In practice, teams should treat public internet exposure as hostile by default and add layered controls:
- Require authentication for every customer-data endpoint, including read-only APIs.
- Use scoped tokens so a session can access only the tenant, record set, or operation it genuinely needs.
- Apply rate limits and anomaly detection to reduce scraping, enumeration, and bulk export abuse.
- Log request identity, object IDs, and response volume so unusual retrieval patterns can be investigated quickly.
- Separate public-facing discovery endpoints from protected data endpoints wherever possible.
Where secrets or api key are involved, the control problem becomes an NHI problem as well. The Ultimate Guide to NHIs — Key Research and Survey Results notes that 79% of organisations have experienced secrets leaks, and 97% of NHIs carry excessive privileges. That combination makes public APIs especially dangerous because exposed access paths are often paired with overprivileged machine credentials.
Best practice is evolving toward short-lived credentials, least privilege, and continuous policy evaluation instead of static access rules alone. These controls tend to break down when legacy APIs were built without tenant isolation or when backend services trust network location more than caller identity.
Common Variations and Edge Cases
Tighter API controls often increase operational overhead, requiring organisations to balance developer convenience against exposure risk. That tradeoff is real, especially when public APIs support partner integrations, mobile apps, or high-volume customer self-service.
One common edge case is an API that is “public” in routing terms but should still require strong authentication. Another is a mixed endpoint that returns both low-risk metadata and sensitive customer records; in those cases, guidance suggests splitting the endpoint or applying field-level controls, because coarse access decisions invite overexposure. There is no universal standard for every API design yet, but current guidance consistently favours explicit scopes and strong observability.
Another failure mode appears when organisations assume that obscurity is protection. Hidden endpoints, undocumented query parameters, and unlinked test environments do not substitute for access control. The same applies to partner portals and embedded widgets, which can silently inherit broad access if identity context is not enforced end to end.
For teams managing high-risk customer data, the practical response is to validate access as if the endpoint were already being probed. That means testing unauthenticated requests, checking object-level authorisation, and confirming that every response path is rate-limited and logged before exposure reaches production.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Public APIs often expose overprivileged machine identities and static secrets. |
| NIST CSF 2.0 | PR.AC-4 | Customer-data APIs need authenticated, authorized access at every request. |
| NIST Zero Trust (SP 800-207) | GV.AC-1 | A public API should not trust network location or implicit perimeter access. |
| NIST AI RMF | Risk management must cover exposure, misuse, and monitoring for data-bearing systems. | |
| CSA MAESTRO | MAESTRO-01 | API exposure in agentic systems depends on trustworthy identity and runtime policy. |
Inventory API machine identities and replace broad, long-lived access with scoped, short-lived credentials.
Related resources from NHI Mgmt Group
- What breaks when customer identity data is exposed through a public web application?
- What breaks when contractors can copy regulated identity data to personal devices?
- What breaks when telemetry from AI agents includes identity data by default?
- What breaks when password reset alerts are driven by stale breach data?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org