Claude.ai is one thing. Claude Cowork with MCP connections, running agentic workflows, taking actions across your data with ungoverned skills? That is a different conversation entirely, and most security teams are not equipped to govern it.

Harmonic Security is built to secure everything Claude offers. Full browser controls for Claude.ai, deep governance over agentic MCP workflows, and real-time visibility into what Claude is doing across your organization. So your CISO can say yes to the tools your business is already demanding.

Get the guide: Securing Claude Cowork for the enterprise.

Help Security Say Yes

Issue 72

I was at API Conference London last week, and it has taken me a while to get back in the swing of things. One piece of feedback I got at the conference from a subscriber was that they used newsletters like this to get the pulse of what was going on in the industry. So I am going to try a different format this week – similar to the news-roundup format I used to run. Let me know your thoughts or use the feedback poll at the end.

Stainless has announced that it is being acquired by and joining Anthropic to help build out the Claude Platform, focusing on improving developer experience and connecting AI agents to complex external APIs. As a result of this transition, Stainless will wind down all of its hosted products, including its automated SDK generator. It is halting new sign-ups immediately, while advising current customers on transitioning their existing privately owned SDKs to alternative management options.

Here are a few reactions on the acquisition:

Postman has introduced a new Playwright plugin and updated Postman CLI commands that allow development teams to automatically capture and validate the underlying API traffic generated during front-end UI tests. This integration ensures that while Playwright runs UI tests, Postman simultaneously cross-references the network traffic against API collections to detect contract drift, hidden backend errors, and coverage gaps, preventing "UI-green-but-API-broken" bugs from reaching production.

Bill Doerrfeld shares that API keys provide a false sense of security and are fundamentally inadequate for robust authentication and authorisation in modern enterprise environments. He outlines ten critical security issues.

Yukio Ikeda writes about API Design Patterns from Polymarket: the World's Largest Prediction Market. Ikeda breaks down eight design patterns Polymarket uses to handle real world complexity, rejecting over-simplified CRID in favour of an architecture that faithful to its domain.

Zuplo’s Nate Totten writes that Akamai's 2026 API Security Survey shows that 87% of organisations have been hit with an API security incident with an average cost of $700k per incident. The survey reveals an increasingly volatile API landscape where traditional human-staffed security and legacy defences are failing to curb accelerating breach rates. Totten breaks down five major findings from the survey of 1,840 security professionals.

Voiden is a 1K+ GitHub star open-source, offline-first API client and workspace for developers, created by ApyHub. API specs, tests, docs, and context all live in executable Markdown. An important concept in Voiden is the block: small, reusable components. Everything in Voiden is a block. An API request is a block, and it is composed of multiple other blocks: headers, query params, form inputs, and so on. Blocks can be mixed, matched, and reused.

oasdiff, the popular (1.2K GitHub stars) open-source breaking change detection service now has a pro/paid offering. Free, open source oasdiff offers breaking change detection and changelog generation, but the pro version adds an approval workflow that allows API owners to approve or reject breaking changes on a PR review page. Check it out.

I am running a research project called Beyond the Linter. The project explores how organisations actually run the people-and-process side of API governance. I am looking for people who work in API governance to take part in the study. Would you be willing to take part? See the full details here.