It may be better to use API tokens for authenticating calls to your API. Another options are OAuth2 or JWT. Make sure that you allow connections only over HTTPS (especially if you decide to use OAuth2 since the protocol relies on TLS for providing confidentiality and integrity). In general, most of typical vulnerabilities for web apps (maybe exceptin XSS) apply to APIs (I assume we are talking about HTTP API). OWASP provides good info and guidelines. Good luck!