As hundreds of billions of dollars in online business rely on APIs to efficiently function, APIs continue to be a major target for malicious hackers looking to exploit weaknesses in these connection points. When keys and tokens are leaked, they end up on the dark web and are then used in automated attacks against API endpoints. Our research found that on many websites and applications, more than 75% of login requests from API endpoints are malicious. API attacks continue to grow because they are easier and more economical to mount while being harder to detect than legacy browser-based botnet attacks. Businesses can beat API bots by employing a new defensive methodology driven by machine learning, sophisticated behavior modeling, and a constant real-time feedback loop. Developers must take steps to ensure that API keys and security tokens are properly protected using key vaults.