api-onboarding

This document is a benign, high-level guidance skill for improving API onboarding (TTFAC). It contains examples that show common operational patterns: analytics instrumentation, interactive browser-based API explorers, sandbox/test keys, and pre-filled examples. None of the provided snippets include obfuscated code, remote downloads, or explicit exfiltration to attacker-controlled endpoints. The primary security concerns are operational and policy risks: recommending immediate visibility of API keys and pre-filled, pre-authenticated interactive demos can lead to accidental credential leakage or exposure of telemetry if implementers do not enforce safe defaults (use short-lived test tokens, backend proxies for calls from the browser, avoid embedding production keys in docs, and limit telemetry fields). I rate the likelihood of intentional malware as very low, but there are moderate security/privacy risks if the guidance is applied without mitigations.