Web APIs expose functionality to users and applications. They are developed by the enterprise and deployed as IaaS on a physical/virtual web server farm in IIS, as PaaS in Azure Web App, or as Containers in Docker for Azure.
All requests should be stateless, and request/response payloads should be in XML or JSON format. They should be load-balanced with auto-scaling.
Web APIs should be secured on HTTPS/TLS (SSL should be disabled. Where practical, two-way certificate encryption should be employed – especially for application-level integrations with third-parties, where large volumes of data are being transferred.