Get your AuthZ design right early on, or you’ll forever be plagued with APIs that fail open or aren’t protected, and it’s so very hard to change later on.

The best advice I’ve seen on this: https://research.nccgroup.com/2020/04/21/code-patterns-for-a...