Part 3: Designing a secure API