Best practices for securing InterSystems IRIS APIs

 I’m currently working with REST APIs in InterSystems IRIS and would like to better understand the recommended security practices for production environments.

I’m especially interested in:

• Authentication and authorization methods
• Token management strategies
• Role-based access control
• API gateway recommendations
• Encryption and secure communication practices
• Monitoring and logging for API activity

I would also appreciate learning about common mistakes to avoid when deploying APIs publicly or integrating with external systems.

What approaches or tools have worked best in your environments?