Auth is part of the API design conversation, not a separate workstream. We work with the patterns appropriate to your situation — OAuth 2.1, JWT, API keys, mTLS, signed requests — and design authorisation rules into the schema so they cannot be skipped at the implementation layer.