{"id":"security-authentication","title":"Authentication","section":"security","rules":[{"requirement":"MUST","rule":"Every API must be authenticated","severity":"error"},{"requirement":"SHOULD","rule":"Use OAuth 2.0 for authentication"},{"requirement":"SHOULD","rule":"Send API keys as headers, not URL parameters"},{"requirement":"MUST NOT","rule":"Include credentials in URLs","severity":"error"}],"examples":{"recommended":[{"header":"Authorization: Bearer {token}"},{"header":"X-API-Key: {api-key}"}],"notRecommended":[{"url":"/v1/users?api_key=secret123"}]}}