Resources · API Authorization

API Authorization Risk

Why tenant boundaries, ownership checks, role permissions, and sensitive API actions need proof-backed validation.

The core API authorization question

Can a user, system, or agent access data or trigger an action it should not? Most serious API issues reduce to this question.

Tenant boundaries and object ownership

Multi-tenant systems must enforce that every request is scoped to the correct tenant and that the caller owns the object being read or modified.

Role permissions and sensitive actions

Authentication confirms identity. Authorization confirms whether that identity is allowed to perform the specific action being requested.

Common failure patterns

Missing ownership checks, role checks that only run in the UI, broken object-level authorization, and overly permissive admin routes.

What proof-backed API validation should include

The affected endpoint, the missing guard, the data exposed, the actor who could trigger it, and validation that the fix closes the path.

Example failure patterns

Concrete patterns Telhawk looks for when validating API authorization.

Customer ID reaches billing lookup without ownership validation

Admin route checks login but not role permission

Export endpoint exposes records across tenant boundary

AI agent tool can call sensitive API without approval

Need API authorization proof?

Telhawk reviews API authorization with proof-backed evidence for every finding.