If you are authenticating, you should also be authorizing.
#4: APIs are Authorized, but not Authenticated
This is a very common pitfall, especially in public-facing APIs. It is not uncommon to find APIs that are only authorized, but not authenticated. This is especially true for