[1690v]

It also expands the total attack surface of a system, which can lead to security problems. If you read some of the public disclosures from various bug bounty programs, neglected APIs have led to some serious vulnerabilities.

"Underprotected APIs" is actually number 10 on the OWASP Top 10 for 2017.

[userbinator]

The attack surface is the same whether the API is officially open/documented or not --- if you think that data received through a web API is somehow more trustworthy/less demanding of validation just because you haven't documented it and only release an app which uses it, you are doing it wrong.

Conceptually, it's just a listening server on the public Internet, and will be subject to arbitrary data anyone willing to connect to it can send.

[noway421]

Published docs (auto generated or not) increase the risk of discovery. Security through obscurity, yeah, but it reduces chances.