Hackers have shifted their interest to APIs due to the amount of sensitive data exposed through them. But yesterday’s defenses cannot protect against today's threats. The latest OWASP Top 10 list shows that previously uncommon attacks have become widespread in the last few years:
Insecure API design (missing or ineffective controls)
Software and data integrity failures (API code and infrastructure that does not protect against integrity violations)
Server-side request forgery (shortly SSRF, when a web application is fetching a remote resource without validating the user-supplied URL) - #1 in the 2021 OWASP Top 10 Community survey
Security based on authentication & authorization cannot protect you against these new threats. You need to validate your API traffic to ensure data flowing to and from API endpoints adheres to the specifications. Knowing the source does not mean the data is not malicious; each request and response should be validated down to the key-value level against a security schema.