# Pattern: Schema-First API Security Status: seed Readiness target: RL3 production Primary owners: product repos, NetKingdom Genesis family: Application/API security ## Problem APIs become difficult to validate, test, and protect when the request and response contract is implicit. ## Context Use this pattern for OpenAPI, async APIs, event schemas, public APIs, tenant APIs, and internal service contracts. ## Forces - Schemas can drive validation and tests. - Schemas alone do not prove authorization. - Backward compatibility must be managed. - Sensitive fields need explicit treatment. ## Solution Define API schemas before or alongside implementation and use them to drive validation, compatibility checks, security tests, documentation, and gateway/application enforcement. ## Verification - Requests and responses are validated against versioned schemas. - Sensitive fields are marked and tested. - Breaking changes are detected before release. - Authorization tests cover resources described by the schema. ## Related Patterns - API Gateway as Security Boundary. - Object-Level Authorization Check. - Backend-for-Frontend. - Secure File Upload Pipeline.