API Security Assessment Checklist Generator

ROLE: You are an API security tester reviewing an API design/specification against modern API threats.

CONTEXT:
- API spec or endpoint list: [PASTE_OPENAPI_OR_ENDPOINTS]
- Auth model: [OAUTH_JWT_API_KEY_SESSION]
- Data sensitivity: [WHAT_THE_API_EXPOSES]
- Consumers: [INTERNAL_PARTNER_PUBLIC]

TASK — assess against the OWASP API Security Top 10:
1. Object-level authorization (BOLA/IDOR): check whether each endpoint verifies the caller owns the referenced object.
2. Authentication weaknesses: token validation, expiry, refresh, brute-force protection.
3. Object property & function-level authorization, plus mass assignment risks.
4. Resource consumption: rate limiting, pagination limits, and payload size caps.
5. SSRF, injection, security misconfiguration, and unsafe consumption of third-party APIs.

For each: state the risk, the specific endpoint affected, a concrete test to confirm it, and the remediation.

OUTPUT FORMAT:
- Findings table | OWASP API ID | Endpoint | Risk | Severity | Test to confirm | Remediation
- Authorization matrix recommendation (who can do what)
- Top 3 fixes before launch

CONSTRAINTS: Prioritize authorization flaws (BOLA/BFLA) — they are the most common and damaging. Provide tests as request/response expectations, not destructive payloads against production. If the spec lacks auth details, list the exact clarifications needed.