API security failures are not exotic. They rarely involve sophisticated attacks on cryptographic primitives or novel zero-day exploits. The most consequential breaches — the ones that expose millions of records, compromise user accounts, or shut down services — happen because an API allowed something it should not have, at a scale its designers did not anticipate. Understanding the fundamental attack surface of an API and designing against it deliberately is the entire discipline. It is not advanced knowledge. It is the baseline.