API security audit