saas-api-securitylisted

# SaaS API Security Audit Audit the API surface of a SaaS — the endpoints exposed to customers, their integrations, and (when applicable) the public internet. Defensive focus. ## When this skill applies - Reviewing CORS configuration on web APIs - Auditing rate limiting strategy (per-key, per-IP, per-tenant, global) - Verifying webhook signature implementation (Stripe, GitHub, custom HMAC) - Reviewing GraphQL query cost / depth limits - Reviewing idempotency keys on write endpoints - Auditing API key management (generation, storage, rotation, revocation) Use other skills for: code-level vulnerabilities (`saas-code-security-review`), tenant isolation in queries (`saas-tenant-isolation`), Supabase-specific edge function auth (`supabase-security-audit`). ## Workflow Follow `../_shared/audit-workflow.md`. API-specific notes below. ### Phase 1: Scope confirmation - Public API or internal-only? - REST, GraphQL, gRPC, WebSocket, or mix? - Auth mechanisms (API keys, JWT, OAuth, mTLS)? - Gateway in front (Cloudflare, Kong, AWS API Gateway, Apigee)? - Customer-facing webhooks outbound, inbound, both? ### Phase 2: Inventory - List all endpoints / GraphQL resolvers / WebSocket events. - List rate-limit configurations (gateway + application layer). - List CORS configurations per route or group. - List webhook endpoints (inbound) and webhook destinations (outbound). - List API key types (admin, scoped, ephemeral) and their issuance flow. ### Phase 3: Detection — the checks ####