“Never Trust, Always Verify” is the short phrase minted by NIST in defining Zero Trust. With that in mind, understanding the user identity is an absolute requirement and should be applied when securing all APIs, for internal use cases, in the same way as external ones. Leveraging OAuth and OpenID Connect (OIDC) in a token-based architecture aligns perfectly with achieving Zero Trust, regardless of the level of security needed. In this talk participants will learn: How to leverage mTLS and certificate-bound tokens to level up API security Architectural patterns that prevent Personal Identifiable Information (PII) in public applications How Scopes and Claims are used to authorize API access