You are responsible for a set of internal APIs that power order management, loyalty, and payment-adjacent workflows. The APIs are consumed by services running in multiple environments, and a recent review found inconsistent authentication, overly broad access, and a few endpoints that expose more data than callers need. You also need to keep the APIs easy for engineers to use without creating a path for privilege escalation or accidental data leakage.
How would you design these APIs so they are secure by default while still being practical for service-to-service use? What would you do to prevent unauthorized access, replay or abuse, and overexposure of sensitive fields, and how would you verify those controls are actually working?