Securing APIs in the age of connected experiences