Security by Default Key statements: Security is enforced consistently at the gateway APIs never rely solely on application-layer controls Topics to name: OAuth 2.0 / OIDC JWt Scope-based access mTLS for internal APIs