You are responsible for a public API that serves internal and external clients and exposes sensitive research metadata. The API is behind an ingress layer and talks to downstream services over the network. A recent review found inconsistent authentication behavior across endpoints and no clear story for request logging or abuse detection.