A new report from Info-Tech Research Group puts a number on the shadow API problem: undocumented or unmanaged interfaces can outnumber known APIs by as much as 10-to-1 in financial institutions. For every API your team knows about and actively manages, there could be ten more flying under the radar, completely ungoverned.
The report’s findings are clear. Incomplete API inventories, inconsistent oversight, and underconfigured gateways are leaving critical fintech integration points wide open. And as adversaries increasingly use AI-enabled discovery techniques to find these hidden endpoints, the window for getting API governance right is closing fast.
Here’s the good news: the report’s recommended solution, centralized API gateway enforcement, is exactly the approach modern API platforms were built for. Let’s break down what’s going wrong and how to fix it.
The shadow API problem in financial services
Shadow APIs don’t appear because teams are careless. They appear because financial institutions operate complex, distributed architectures where new integrations get spun up constantly. A fintech partner needs a data feed, so a developer creates a quick endpoint. A legacy system exposes a service for internal use. A proof-of-concept API goes live and never gets decommissioned.
As Jon Nelson, Principal Advisory Director at Info-Tech, put it: “APIs serve as the connective tissue linking on-premises systems with cloud, SaaS, and third-party services. However, many financial institutions face a significant challenge in the form of shadow APIs, undocumented or unmanaged interfaces that can outnumber known APIs by as much as ten to one.”
The result? Direct fintech integrations that bypass centralized gateway enforcement entirely. No authentication. No rate limiting. No traffic visibility. These orphaned endpoints become the path of least resistance for attackers and the biggest compliance blind spots for security teams.
If you’re working in financial services, this should concern you. Every unmanaged API is an unmonitored door into your systems, and securing API endpoints in banking applications requires knowing those doors exist in the first place.
Why traditional gateway configurations fall short
Info-Tech’s report doesn’t just call out shadow APIs — it specifically names “weak gateway controls” as a root cause of fintech API risk. This distinction matters. Having an API gateway isn’t enough. The gateway has to be properly configured and consistently enforced across every API in your inventory.
Here’s where many financial institutions stumble:
- Inconsistent authentication — Some APIs enforce OAuth, others use API keys, and some legacy endpoints have no auth at all. Without a unified authentication strategy, every inconsistency is a potential entry point.
- Missing rate limits — APIs without rate limiting are vulnerable to abuse, data exfiltration, and denial-of-service attacks. Per-consumer rate limiting isn’t optional for financial workloads — it’s a regulatory expectation.
- No traffic visibility — If you can’t see who’s calling your APIs, how often, and with what payloads, you’re operating blind. Shadow APIs compound this problem by existing entirely outside your monitoring stack.
- Configuration drift — In traditional gateway setups, policies are configured per-environment. Over time, staging and production configurations diverge, and enforcement becomes inconsistent.
The core issue is that legacy API management platforms require significant manual configuration and ongoing maintenance. Teams set them up once, then move on to the next project. The gateway atrophies, new APIs bypass it, and before long, you’ve got a 10-to-1 shadow API ratio.
The gateway-first governance model
Info-Tech’s blueprint, Improve Your API Processes to Secure Your Fintech Integrations, recommends three priority actions:
- Create a comprehensive inventory of all APIs in production, including shadow endpoints
- Evaluate and mature your API gateway capabilities across authentication, authorization, rate limiting, monitoring, and logging
- Embed structured API governance into your operating model to prevent new shadow APIs from emerging
What ties these three together? The API gateway. When every API request flows through a properly configured gateway, you get inventory for free — every endpoint that routes through the gateway is, by definition, a known and managed API. Your gateway becomes the single source of truth for what APIs exist, who’s calling them, and what policies govern them.
This is the gateway-first governance model: instead of trying to discover shadow APIs after the fact, you make the gateway the mandatory path for all API traffic. Any API that doesn’t route through the gateway doesn’t get to go live.
Zuplo’s approach to this is built on an OpenAPI-native design. Your OpenAPI specification defines which routes exist, and the gateway enforces that definition. Want to add a new endpoint? Update the spec. Need to deprecate one? Remove it from the spec. The spec is the inventory, and the gateway is the enforcement layer.
How edge-native gateways address latency for financial workloads
One of the most common objections to routing all API traffic through a gateway is latency. Financial services workloads — payment processing, real-time fraud detection, market data feeds — are latency-sensitive. Adding an extra hop feels risky.
This is where the architecture of your gateway matters. Traditional gateways typically run in a single region, meaning API traffic has to travel to and from that region regardless of where the caller is. For a bank operating globally, this adds meaningful latency.
Edge-native gateways solve this by distributing enforcement to the network edge. Zuplo runs across 300+ data centers worldwide, which means gateway enforcement happens at the closest point to the API consumer. Authentication, rate limiting, and request validation all execute before the request ever reaches your backend — and they execute fast because the processing happens geographically close to the caller.
For financial workloads, this architecture means you don’t have to choose between security and performance. You get both: comprehensive gateway enforcement at every endpoint, with minimal latency overhead at the edge.
How gateway-level controls eliminate shadow API risks
Shadow APIs don’t just create unmonitored endpoints — they create unmanaged credentials and invisible traffic patterns. Addressing these problems requires controls that operate at the gateway level, where every request is visible and every consumer is known.
Centralized API key management
When a developer provisions API access outside the gateway, they typically hardcode keys, share credentials over Slack, or create service accounts with overly broad permissions. When that developer leaves or the project changes direction, those credentials linger.
Centralized API key management solves this at the root. With Zuplo, every API consumer gets a managed identity with keys that can be issued, rotated, and revoked from a single control plane. Key rotation isn’t a quarterly fire drill — it’s a single API call that can be automated via the management API. And because every key is tied to a consumer identity, you always know who has access and can revoke it instantly.
Pair that with a developer portal that enables self-service onboarding, and you eliminate the incentive for developers to create side-channel access. When it’s easier to register through the official portal than to spin up an undocumented endpoint, shadow APIs stop appearing.
Per-consumer rate limiting
Rate limiting is often framed as a defensive measure — protect your backend from getting overwhelmed. But in the context of shadow API governance, rate limiting serves a second critical function: anomaly detection.
When you enforce per-consumer rate limits, you establish a baseline for normal traffic from each API consumer. A fintech partner that typically makes 100 requests per minute suddenly spiking to 10,000? That’s a signal. An API key that’s supposed to be used by a single integration suddenly generating traffic from multiple IP addresses? That’s another signal.
Without rate limiting, these patterns are invisible. With per-consumer limits, they become exceptions that trigger alerts and investigations. This is especially important for financial institutions where unusual API traffic patterns can indicate fraud, data exfiltration, or a compromised integration.
Checklist for securing FinTech API integrations
Based on Info-Tech’s blueprint and the gateway-first governance model, here’s an actionable checklist for financial institutions looking to get their API security posture in order:
Inventory and discovery
- Audit all known API endpoints across production environments
- Identify APIs that bypass the centralized gateway
- Map all third-party and fintech partner integrations
- Document which APIs have authentication, rate limiting, and monitoring — and which don’t
Gateway configuration
- Enforce authentication on every API route — no exceptions
- Implement per-consumer rate limiting with appropriate thresholds
- Enable request logging and real-time traffic monitoring
- Validate inbound requests against your OpenAPI specification
Credential management
- Migrate all API keys to a centralized management system
- Implement automated key rotation on a defined schedule
- Audit and revoke stale or orphaned credentials
- Require all new API consumers to register through the developer portal
Governance process
- Make gateway routing mandatory for all new APIs
- Include API security review in your deployment pipeline
- Establish regular API governance reviews with cross-functional stakeholders
- Monitor for new shadow APIs on a continuous basis
Conclusion
Info-Tech’s findings aren’t surprising to anyone who’s worked in financial services API infrastructure. The 10-to-1 shadow API ratio is the predictable result of rapid fintech integration without centralized governance. The good news is that the solution is well-understood: make your API gateway the mandatory, well-configured enforcement point for all API traffic.
The key is choosing a gateway that makes governance the path of least resistance. When authentication, rate limiting, and monitoring are built-in defaults rather than optional add-ons — and when enforcement happens at the edge without adding latency — teams naturally route through the gateway because it’s the easiest way to ship a secure API.
If you’re looking to close the shadow API gap in your organization, explore how Zuplo handles gateway-first governance — including API key management, per-consumer rate limiting, OpenAPI-native routing, and edge-native deployment — or get started to see it in action.