| API-001 | The API shall use authenticated access for protected endpoints. | Confirmed |
| API-002 | The API shall return unauthorized responses for unauthenticated access. | Confirmed |
| API-003 | The API shall return forbidden responses for unauthorized role or scope access. | Confirmed |
| API-004 | The API shall validate input and return validation errors. | Confirmed |
| API-005 | API documentation shall exist for core API endpoints. | Confirmed - Postman exists; OpenAPI draft available |
| API-006 | The OpenAPI specification shall be validated against runtime route list before final approval. | Needs Technical Verification |