How would you secure REST and GraphQL APIs at Asapp, including rate limiting and proper authentication flows such as OAuth and JWT?