API Security
Module C — API / Microservices Security Certification
ISO/IEC 17065-accredited third-party certification of APIs and microservices — REST, GraphQL, gRPC, event-driven and other machine-to-machine interfaces — anchored in the OWASP API Security Top 10. Three assurance levels match evaluation depth to your API’s risk profile and your customers’ due-diligence expectations.
What Module C Is For
Built for the API-as-Product Question
Module C of Guardian SecureApp™ is the right module when your product surface is an API or a set of APIs — a machine-to-machine interface where the security of authentication, authorisation, schema validation, rate limiting, data exposure and inventory management is the primary assurance question your customers, partners or regulators are asking. The certification is granted under ISO/IEC 17065:2012 and is issued by Guardian Assessment Pvt. Ltd., a Conformity Assessment Body accredited by United Accreditation Foundation (UAF) under accreditation number 52605385601 (IAF Scope Code 33, valid until 05 May 2030).
APIs have become products in their own right. Open-banking APIs, embedded-finance rails, developer platforms, partner-integration APIs, AI / ML inference APIs, and the public APIs of B2B SaaS providers are all sold, contracted, and consumed independently — and increasingly are subject to procurement and regulatory scrutiny that asks specifically about API security, distinct from the security of any web application that may also exist around them. Module C exists for that scrutiny: a publicly-listed, accredited certificate that the named API, at the named version, has been independently evaluated against the OWASP API Security Top 10 at the named assurance level and meets the certification criteria.
Module C is structurally distinct from Module A. Module A evaluates web applications against the broader OWASP ASVS. Module C is anchored in the OWASP API Security Top 10 — a framework specifically engineered for the API attack surface, addressing risks that are either absent from, or under-emphasised in, the web-application threat model: BOLA / BFLA at machine-to-machine speed, mass assignment in JSON request bodies, API inventory drift, unsafe consumption of upstream APIs, and the resource-consumption attacks that automated clients enable. A web application that calls APIs may have those APIs evaluated as part of Module A under the ASVS V13 (API and Web Service Interfaces) control family; but when the API surface is itself the product, Module C applies in its own right with its own scope.
What Gets Certified
The API Surfaces We Certify
Module C is API-architecture-agnostic. We certify the security posture of API products regardless of the protocol, framework, gateway or runtime. Within the broad scope of ‘APIs and microservices’, the typical product surfaces certified under Module C include the following:
- Public REST APIs — JSON / OpenAPI-described HTTP APIs exposed to customers, partners or developers, whether monetised, freemium or open-access.
- Partner-Facing APIs — APIs exposed to a contracted partner ecosystem under separate authentication and rate-limit regimes (B2B integrations, ecosystem APIs, marketplace APIs).
- GraphQL APIs — single-endpoint query interfaces with their distinct evaluation profile (query depth, query cost analysis, persisted queries, introspection control, type-level authorisation).
- gRPC and Protocol Buffer APIs — binary, schema-defined, high-throughput APIs typical in microservices architectures and high-performance integrations.
- Internal-Service-to-Service APIs — where they are themselves the certified product (e.g., a platform team selling internal API capability to internal product teams as a contracted service).
- Webhooks (Outbound APIs) — where the platform issues signed webhooks to customer endpoints; webhook security (signing, timestamps, replay protection, retry semantics) falls within Module C scope.
- Event-Driven and AsyncAPI Surfaces — Kafka, Pulsar, AWS EventBridge, NATS and similar — where they are exposed as a contracted integration surface.
- AI / ML Inference APIs — model-serving APIs with their distinct evaluation profile (input-validation against prompt-injection vectors, rate limiting under inference cost, output filtering, model-version disclosure, training-data leakage paths).
The technology stack is not a certification gate. We have no preferred runtime (Node.js, Python, Go, Java, .NET, Rust, Elixir), gateway (Kong, Apigee, AWS API Gateway, Azure API Management, Tyk, custom), or service mesh. What we do require, as with Module A and Module B, is a clear scoping conversation that identifies precisely which APIs, endpoints, versions and integrations are within the boundary of evaluation. The Scope Statement names this boundary explicitly.
The Technical Backbone
Built on the International Standard for API Risk
The technical backbone of Module C is the OWASP API Security Top 10 — an open, internationally maintained framework that enumerates the most critical API security risks observed across many organisations, validated through community review, and updated through the OWASP Foundation’s published-revision process. The framework is the de facto common language of API security; it is referenced by procurement teams, regulators, and engineering organisations across regulated and security-critical sectors.
Module C tracks the current published edition of the OWASP API Security Top 10. The current edition is the 2023 release, which significantly evolved the framework from its predecessor — adding new categories (Unrestricted Access to Sensitive Business Flows; Server-Side Request Forgery; Unsafe Consumption of APIs), restructuring authorisation categories (the introduction of Broken Object Property Level Authorisation, BOPLA, which subsumes the previous Mass Assignment and Excessive Data Exposure categories), and re-emphasising operational and inventory risks. The current edition is referenced as API1:2023 through API10:2023.
Where the OWASP API Security Top 10 is updated by OWASP in future releases, updates are reviewed by Guardian’s Technical Review Panel and adopted into the GSA-PR-01 scheme document through a documented scheme-revision process. Existing certificates remain valid for their original cycle; recertification engagements use the version of the framework current at the time of recertification. Material framework changes are communicated to certified clients with appropriate transition guidance. Detailed treatment of the framework is at /standards/owasp-api-top-10.
Top 10 Categories
The Ten Categories We Evaluate
Below is a summary of the ten categories of the OWASP API Security Top 10 (2023 edition) evaluated under Module C, organised in the canonical API1–API10 order. The depth of evaluation in each category scales with the assurance level. This list is illustrative; the authoritative reference is OWASP API Security Top 10 itself, which is updated periodically and to which Module C tracks via GSA-PR-01.
| Code | Risk Category | What We Evaluate |
|---|---|---|
| API1:2023 | Broken Object Level Authorisation (BOLA) | Authorisation enforcement at every object-access endpoint; defence against direct object reference manipulation; tenant-aware authorisation boundary where applicable; API1 is the most consequential category for most production APIs. |
| API2:2023 | Broken Authentication | Token issuance, validation, expiration; OAuth 2.0 / OIDC implementation hygiene; JWT signing and validation; credential storage; brute-force resistance; session lifecycle; refresh-token handling; multi-factor where applicable. |
| API3:2023 | Broken Object Property Level Authorisation (BOPLA) | Property-level authorisation on response bodies, excessive data exposure resistance, and request bodies, mass assignment resistance; schema-level enforcement; role-aware property filtering. |
| API4:2023 | Unrestricted Resource Consumption | Rate limiting at user, IP, token, and global granularity; quota enforcement; query-cost analysis, especially GraphQL; pagination limits; resource-allocation defences; protection against billing-amplification and computation-amplification attacks. |
| API5:2023 | Broken Function Level Authorisation (BFLA) | Function / endpoint-level access control by role; admin-function discovery resistance; consistent enforcement across HTTP methods; protection against function-level privilege escalation. |
| API6:2023 | Unrestricted Access to Sensitive Business Flows | Business-flow-level rate limiting; anti-automation on critical sequences such as account creation, payment, and voucher redemption; detection of automated abuse patterns even where individual requests are technically authorised. |
| API7:2023 | Server-Side Request Forgery (SSRF) | URL handling in API parameters; defence against internal-service access via attacker-controlled URLs; metadata-service protection in cloud environments; allow-list enforcement on outbound calls; webhook-target validation. |
| API8:2023 | Security Misconfiguration | Hardening of API runtime, gateway, and framework defaults; CORS configuration; HTTP security headers; permissive defaults; debug endpoints in production; verbose error responses; misconfigured cloud security groups. |
| API9:2023 | Improper Inventory Management | API inventory completeness; shadow APIs, undocumented endpoints; zombie APIs, deprecated but reachable endpoints; environment separation between production, staging, and development APIs; version sunsetting discipline; public-vs-private endpoint discipline. |
| API10:2023 | Unsafe Consumption of APIs | How the API consumes upstream APIs, including third-party services and partner APIs; validation of upstream responses; treating upstream as untrusted; defence against upstream-supply-chain compromise; webhook input validation. |
Detailed treatment of each category — with evaluation methodology, severity assessment guidance and worked examples — is at /standards/owasp-api-top-10.
API Architectures
Module C is Architecture-Agnostic — Within the API Definition
Module C does not require a specific API architecture; it does require that the architecture in scope is documented and that the boundary of certification is unambiguous. Below is a summary of the architectural patterns Guardian routinely evaluates under Module C, with notes on the evaluation specifics for each.
| Architecture | Module C Evaluation Specifics |
|---|---|
| REST / OpenAPI | Default architecture. Evaluation uses the OpenAPI / Swagger specification as the contract; verification that the runtime enforces what the spec describes; testing against documented and often undocumented endpoints; HTTP-method-aware authorisation testing. |
| GraphQL | Single-endpoint architecture with distinct evaluation profile. We evaluate query depth limits, query cost analysis, persisted-query discipline, introspection enablement in production, type-level and field-level authorisation, batching abuse, and alias-based authorisation bypass. |
| gRPC / Protocol Buffers | Binary schema-defined APIs typical in microservices. We evaluate the .proto contract, mTLS implementation, server reflection in production, streaming-call authorisation, deadlines and resource limits, and interceptor-based security policies. |
| Webhooks | Outbound APIs. We evaluate webhook signing such as HMAC or JWT, timestamp / replay protection, retry semantics, customer endpoint validation, secret rotation, and delivery-failure handling. |
| Event-Driven / AsyncAPI | Where event streams are exposed as a contracted integration surface, such as Kafka, Pulsar, or EventBridge. We evaluate topic-level authorisation, schema validation on producer and consumer, message-level encryption, and multi-tenant topic isolation where applicable. |
| API Gateway-Fronted | Where an API gateway such as Kong, Apigee, AWS API Gateway, Tyk, or a custom gateway fronts the certified API. We evaluate the gateway’s authentication / authorisation enforcement, rate limiting, request transformation hygiene, and the boundary between gateway and origin, including gateway-bypass risk. |
| Service-Mesh-Fronted Microservices | Where Istio, Linkerd, Consul Connect, or similar technologies provide the integration substrate. We evaluate mTLS configuration, authorisation policies, service-identity discipline, and sidecar-bypass risk. |
| AI / ML Inference APIs | Distinct evaluation profile. We evaluate input validation against prompt-injection and adversarial-input vectors, rate limiting under inference cost, output filtering for sensitive-data leakage, model-version disclosure controls, and audit logging of inference requests and responses. |
Levels
Level Selection for Module C
All three Guardian SecureApp™ levels are available under Module C. As with Module B, the typical level distribution is shifted upward — most public-facing or partner-facing APIs default to Level 2 or Level 3, because the cost of a breach in an API surface is typically larger and more systematically exploitable than a comparable issue in a single web app.
| Aspect | Level 1 Basic | Level 2 Advanced | Level 3 High-Risk / Critical |
|---|---|---|---|
| API Top 10 coverage | All ten categories at baseline depth. | All ten categories with multi-role authorisation and business-logic coverage. | Adversarial / threat-led evaluation across all ten categories. |
| BOLA / BFLA testing | Single-role scenario. | Multi-role testing plus privilege escalation paths. | Multi-role, multi-tenant, and chained-attack scenarios. |
| Source code review | Not mandatory. | Sample-based review on authentication, authorisation, and schema enforcement. | Comprehensive review across the in-scope codebase. |
| Inventory / Shadow API discovery | Documented inventory verification. | Active discovery techniques. | Comprehensive discovery plus version-history review. |
| Rate-limit and abuse-pattern testing | Standard scenarios. | Multi-tier limits plus business-flow abuse testing. | Adversarial automation plus cost-amplification testing. |
| Indicative Starting Fee* | USD 2,000 onwards | USD 4,000 onwards | USD 7,000 onwards |
| Typical Timeline | 4–7 weeks. | 7–11 weeks. | 11–16 weeks. |
*Indicative starting fees apply to small organisations certifying a single, low-complexity API on a single technology stack in a single environment, under Module C only. Final fees depend on the number of endpoints, API complexity, codebase size, evaluation man-days. Fees do not influence the certification decision (ISO/IEC 17065 Clause 4.2 — impartiality requirement).
Detailed Level pages: /levels/level-1-basic, /levels/level-2-advanced, /levels/level-3-critical.
Evaluation
How We Evaluate an API
Module C evaluation is documented in GSA-PR-01 and applied uniformly across applicants at the same level. The methodology blends documentation review (Stage 1) with technical evaluation (Stage 2).
Documentation Review
Stage 1 reviews: the API specification, OpenAPI / Swagger / .proto / GraphQL schema / AsyncAPI definition; the authentication and authorisation architecture; the rate-limit and quota strategy; the API inventory, current and deprecated endpoints, version-sunsetting policy; the upstream-API integration list, where applicable for API10 evaluation; the threat model; and prior security assessment evidence.
Technical Evaluation
Stage 2 is the core technical evaluation. Activities include:
- Specification-driven testing — verifying that the runtime enforces what the OpenAPI / Swagger / GraphQL schema declares, with no over-permissive operations, undeclared fields, or spec-drift.
- Authentication and token testing — token issuance, validation, expiration, revocation; OAuth 2.0 / OIDC flows; JWT signature and claims validation; mTLS where claimed; API key handling.
- Authorisation testing across multiple roles — BOLA, BFLA, and BOPLA testing at endpoint, function, and property granularity; horizontal and vertical privilege escalation paths.
- Schema validation testing — input validation per the API contract; rejection of unknown fields; enforcement of types, formats, length limits; protection against payload-based attacks.
- Rate limiting and quota testing — verifying that documented rate limits are actually enforced, at the granularities claimed, including per-user, per-IP, per-token, per-endpoint, global, and business-flow-level limits.
- Inventory and shadow-API discovery — active probing for undocumented endpoints, deprecated endpoints reachable in production, and environment-separation drift.
- SSRF / outbound-call testing — defence against URL-parameter manipulation, internal-service access, cloud metadata service access, and webhook-target manipulation.
- Upstream-consumption testing (API10) — validation of upstream API responses and defence against upstream supply-chain compromise.
- Source code review — at Level 2, sample-based on authorisation enforcement, schema validation, and authentication; at Level 3, comprehensive across the in-scope codebase.
- Configuration review — API gateway configuration, CORS, HTTP security headers, runtime defaults, and debug endpoint exposure.
Scope
The Boundary of a Module C Certificate
As with Module A and Module B, the boundary of a Module C certificate is precise and named in the Scope Statement. Anything inside the boundary has been evaluated; anything outside has not.
| In Scope Typically | Out of Scope Unless Explicitly Added |
|---|---|
The named API surface, including endpoints, operations, and schemas, at the named version or version range. | Underlying cloud platform controls such as AWS, Azure, or GCP, which are governed by the provider’s own attestations. |
Authentication and token issuance for the API; authorisation enforcement at every operation. | Third-party Identity Providers themselves, such as Okta, Auth0, or Cognito, beyond your configuration of them. |
API gateway configuration, where the gateway fronts the certified API, and the boundary between gateway and origin. | Customer-side integrations consuming the API, which sit outside the certified product boundary. |
Schema validation, input / output handling, mass-assignment defences, and excessive-data-exposure controls. | Customer-controlled webhook receiving endpoints, which sit outside the platform boundary. |
Rate limiting, quota enforcement, abuse-pattern detection, and business-flow protections. | Network DDoS protection at the cloud-provider edge, such as Shield, Cloudflare, or WAF. These may be referenced but are not re-evaluated. |
API inventory in the certified scope, environment separation, and deprecation discipline. | Web applications wrapping the API. These fall under Module A; modules may be combined on a single certificate where applicable. |
Outbound consumption of upstream APIs for API10 evaluation, covering the consumption logic rather than the upstream APIs themselves. | Mobile-app SDKs and library code that wraps the API, which are not currently in the accreditation scope. |
Deliverables
What You Receive at the End of a Module C Engagement
On successful completion of a Module C engagement, the following outputs are issued. The structure mirrors Module A and Module B; the content reflects the API-specific evaluation.
Certificate of Conformity (Public)
Signed, dated, numbered certificate confirming Module C certification of the named API at the named version (or version range), against the named assurance level. Publicly listed at /directory. Display rights per the Use of Mark Policy.
Scope Statement (Public Summary)
Names the boundary: the API endpoints / GraphQL schema / .proto contracts in scope, the authentication mechanisms certified, the environment evaluated, and any explicit exclusions. The summary is referenced from the public directory; the full Scope Statement sits in the certification record.
Evaluation Report (Confidential — Applicant Only)
Detailed technical report covering scope, methodology, evaluation activities, findings (with severity, OWASP API Top 10 reference where applicable, GSA-PR-01 control reference), corrective actions taken, and the conclusion.
Findings Report (Issued during Stage 2; Confidential)
Detailed findings with severity, technical detail and references to the relevant OWASP API Top 10 category. Findings describe the issue and the relevant control; how the applicant addresses each finding is the applicant’s responsibility, with their own resources or any third party they engage.
Listing in Public Directory
Certificate facts added to /directory immediately on issuance. Status updates (suspension, withdrawal, renewal) reflected in real time.
Mark Usage License
Documented license to use the Guardian SecureApp™ certification mark in respect of the certified API surface, in accordance with UAF-GEN-CAB-02 and the Use of Mark Policy at /marks-policy.
Timeline & Cost
How Long, How Much
Module C engagements have timelines comparable to Module A engagements at the equivalent level — though with a meaningful weighting toward higher levels for public-facing APIs, where buyer expectation typically requires Level 2 or Level 3 depth.
Level 1
Basic
$2,000
onwards
Indicative Starting Fee *
Typical Timeline
4–7 weeks
For Internal-service APIs, low-criticality partner APIs
Level 2
Advanced
$4,000
onwards
Indicative Starting Fee *
Typical Timeline
7–11 weeks
For Public REST/GraphQL APIs, partner integrations, B2B platforms
Level 3
High-Risk / Critical
$7,000
onwards
Indicative Starting Fee *
Typical Timeline
11–16 weeks
For Open banking APIs, payment APIs, embedded-finance rails, AI inference platforms
*Indicative starting fees apply to small organisations certifying a single, low-complexity API on a single technology stack in a single environment, under Module C only. Final fees depend on the number of endpoints, API complexity, codebase size, evaluation man-days. Fees do not influence the certification decision (ISO/IEC 17065 Clause 4.2 — impartiality requirement).
Platforms
Where Module C Drives Procurement Outcomes
Module C is a procurement-driven module. Three sectors generate the bulk of inbound interest, and each one frames the certification differently:
1
Open Banking and Account Information / Payment Initiation APIs
Open-banking APIs — whether under formal regulatory frameworks (PSD2-style Account Information Service Provider / Payment Initiation Service Provider regimes globally) or under emerging account-aggregator frameworks — face explicit security expectations. Module C provides an accredited third-party attestation that is interpretable across the participating ecosystem and across borders. For Indian Account Aggregator FIPs and FIUs, Module C complements (rather than replaces) regulator-specific empanelment requirements; we are happy to discuss your specific regulatory driver during scoping.
2
Embedded Finance and Banking-as-a-Service
BaaS providers and embedded-finance rails sell their APIs as the product. The buyer base — fintech apps, neobanks, vertical SaaS platforms embedding financial services — runs vendor due diligence specifically on the API’s security posture. Module C produces a publicly-listed certificate that those buyers can verify without involving you in the verification step, materially shortening procurement cycles.
3
AI / ML Inference APIs and Developer Platforms
Model-serving APIs, vector-database APIs, agentic-AI platforms and developer-tool APIs increasingly face buyer due diligence on their API security — including emerging concerns around prompt-injection, model-output filtering, training-data leakage and inference-cost amplification. Module C’s evaluation profile includes these AI/ML-specific concerns where the certified API is a model-serving or AI platform; the OWASP API Top 10 categories adapt naturally to these risks (API4 for inference-cost amplification; API3 BOPLA for training-data leakage in model outputs; API1 BOLA for tenant-isolation in multi-tenant inference platforms).
In all three sectors, the procurement signal is the same: a publicly-verifiable, accredited certificate against the OWASP API Security Top 10 is interpretable to any buyer’s security team, regardless of geography or industry.
Frequently Asked Questions
Common Questions, Answered
Yes. GraphQL APIs are explicitly covered under Module C, with a distinct evaluation profile reflecting GraphQL’s single-endpoint architecture: query depth limits, query cost analysis, persisted-query discipline, introspection control, type-level and field-level authorisation, batching and alias-based authorisation bypass testing. The Scope Statement names the GraphQL schema (or schema version) in scope.
Module A evaluates web applications against the OWASP ASVS, with V13 (API and Web Service Interfaces) covering the web app’s calls to its backend APIs as part of the integrated product. Module C separately evaluates APIs as products in their own right, anchored in the OWASP API Security Top 10 — appropriate when the API surface is itself the product (developer platform, partner-integration API, BaaS rail). A SaaS that exposes both a customer-facing web UI and a public partner API would naturally combine Modules A and C on a single certificate, with the SaaS multi-tenant scope addressed by Module B.
Guardian currently evaluates against the OWASP API Security Top 10 (2023 edition) — categories API1:2023 through API10:2023. Where OWASP publishes a new edition, the change is reviewed by Guardian’s Technical Review Panel and adopted into GSA-PR-01 through a documented scheme-revision process. Existing certificates remain valid for their original cycle; recertification engagements use the version of the framework current at the time of recertification.
Yes. Where the certified API is a model-serving API, vector-database API, agentic-AI platform or similar, Module C’s evaluation profile includes AI/ML-specific concerns: input validation against prompt-injection vectors, rate limiting under inference cost (API4), output filtering for sensitive-data leakage, model-version disclosure controls, audit logging of inference requests/responses, and (for multi-tenant inference platforms) tenant-isolation evaluation in collaboration with Module B.
Source code review is sample-based at Level 2 (focused on authorisation enforcement, schema validation, authentication) and comprehensive at Level 3 (covering the in-scope codebase). Level 1 does not require source code access. Code review is conducted via secure remote access in your environment wherever feasible; source code is not retained by Guardian.
Where an API gateway (Kong, Apigee, AWS API Gateway, Azure API Management, Tyk, custom) fronts the certified API, evaluation specifically covers the gateway’s authentication and authorisation enforcement, rate limiting, request transformation hygiene, and the boundary between gateway and origin (gateway-bypass risk). The gateway product itself is not re-certified — that is governed by the gateway vendor’s own attestations — but its configuration and the integration boundary are in scope.
Yes. Where the certified product issues outbound webhooks, evaluation covers webhook signing (HMAC, JWT), timestamp / replay protection, retry semantics, customer endpoint validation, secret rotation, and delivery-failure handling. Customer-side webhook receiving endpoints are outside scope (they are not the certified product), but the platform’s outbound discipline is in scope.
Not in principle, but it does affect scoping and evaluation depth. Engagements with large endpoint counts are typically scoped to a representative sample plus full coverage of authentication, authorisation, schema and rate-limit machinery (which is shared across endpoints). For very large API surfaces, we may agree at scoping to scope-limit the certificate to a defined endpoint subset, with the boundary explicitly stated in the Scope Statement. Pricing is calculated per endpoint count and complexity.
The ‘Field of Accreditation’ is a high-level descriptor of the type of conformity assessment activity the body is accredited to perform. Guardian’s Field of Accreditation is ‘Product / Process Certification’, meaning we are accredited to certify products (and processes / services where applicable). This is distinct from ‘Management System Certification’ (ISO/IEC 17021-1), ‘Inspection’ (ISO/IEC 17020), and ‘Testing & Calibration’ (ISO/IEC 17025).
Module C produces an ISO/IEC 17065-accredited third-party certificate against the OWASP API Security Top 10 — the de facto international benchmark for API security. Specific regulatory acceptability depends on the regulator and any empanelment requirements (CERT-In empanelment is a separate accreditation under the Government of India). We are happy to discuss your specific regulatory driver at scoping; in regulated procurement processes, Module C certification typically serves as evidence alongside regulator-specific requirements rather than as a substitute for them.
Module C Level 1 is an accredited third-party certification — issued by an ISO/IEC 17065-accredited certification body, against a documented certification scheme (GSA-PR-01), with a public-directory listing, surveillance, complaints and appeals rights, and recognition through the international accreditation infrastructure. A VAPT report is a private, point-in-time technical assessment without those procedural attributes. Module C Level 1 includes VAPT as an evaluation activity, but it is the procedural infrastructure that makes the certificate procurement-grade.
Yes. Open-banking APIs (PSD2-style AISP/PISP, Indian Account Aggregator FIPs and FIUs, and equivalent regimes globally) are common Module C engagements. Module C provides an accredited attestation interpretable across the open-banking ecosystem; it is typically combined with regulator-specific empanelment / participant-onboarding requirements rather than serving as a substitute for them.
No. Module C evaluates the security of the certified API surface and the platform’s outbound discipline (signing, replay protection, secret rotation, etc.). Customer-side endpoints that receive your webhooks are outside the certified product boundary — those are governed by the customer’s own controls. We can, however, evaluate documented guidance the platform provides to customers for receiving webhooks securely.
The Scope Statement names the version (or version range) in scope. Where the API supports multiple co-existing versions (v1, v2, v3 reachable simultaneously), the Scope Statement names which versions are certified and which are not. Breaking changes that introduce new endpoints, new authorisation logic or new authentication paths trigger surveillance or re-evaluation activities outside the routine surveillance cycle, per the Certification Agreement and GSA-PR-01.
In our experience, yes — particularly where the buyer’s procurement process embeds API security questions (which is increasingly common in fintech, healthcare, and large-enterprise SaaS buyer ecosystems). A publicly-listed certificate that maps to OWASP API Top 10 categories produces interpretable evidence in security reviews. Whether it materially compresses overall procurement cycle time depends on the buyer’s process; presenting Module C certification at the start of a security review consistently shortens the back-and-forth.
Critical findings on the API surface — particularly under API1 BOLA, API2 Broken Authentication, or API5 BFLA — must be addressed for certification to be granted. Guardian issues the finding with technical detail and the relevant OWASP API Top 10 / GSA-PR-01 reference. Remediation is the applicant’s responsibility — Guardian does not provide consulting or fix-support. Guardian re-verifies corrective actions; one round of re-verification is included in the engagement, additional rounds are billed separately. If the API cannot meet the criteria, the certification is not issued, and there is no record of the failed application in the public directory.
Ready to Get Started?
Apply for Certification
Submit a formal application. Initial response within 5 working days.
Apply NowRequest a Quote
Tell us about your product. Indicative quote within 3 to 5 working days.
Get a QuoteTalk to Our Team
Specific question or regulatory driver to discuss?
Contact Us