Popular posts

We're generally going to be looking at a lot of different factors (depending on what the API is going to do exactly), but -- speaking from experience -- I can tell you that some of the things we look at are:

• What does the API do?
• Is it going to have access to any customer data or PCI-sensitive data?
• What data is it going to expose to the outside world? (We have to pay close attention to applicable privacy laws...especially in places like the EU, where privacy is more strict than in the US)
• Are there going to be legal or compliance impacts?
• Is the application serving this API properly isolated? (e.g., it should only have as much access as it needs to function properly)
• Is the application using prepared statements for any DB queries it's doing?

Depending on the answers to those questions, we tend to do a deeper dive into what the API is doing and how it's doing it to make sure that not only is PayPal going to be safe, but our customers as well.

This is a broad question that can be answered by lots of industry standard information on API development. PayPal is a leader in this space, and is an active member in the OpenAPI Initiative. We have all the same concerns as many other API developers: building developer-friendly APIs with consistent standards, onboarding new users, authentication, app management, SDKs, documentation, sandbox, dashboards, up-time and other *ilities, partners, community engagement, and sunsetting old APIs. All of these require attention to ensure the developer experience is pleasant and meets the needs of your business.

Specifically regarding security concerns: as a financial company, we have to ensure extra effort is placed on ensuring APIs and data behind them are safe and secure behind a solid authentication mechanism. You can read more about it on our REST APIs Getting Started documentation.