Secure APIs are designed with security in mind from the start, avoiding common pitfalls such as lack of authentication and authorization controls, injection attacks, overexposure of data, improper rate limiting, and lack of logging and monitoring. Best practices include implementing TLS everywhere, enabling CORS safely, validating input and output, enforcing Content-Type headers strictly, using API keys and access tokens securely, adopting the principle of least privilege, keeping dependencies updated, versioning APIs, minimizing trust between services, and using security headers in responses. When consuming third-party APIs, vetting providers thoroughly, validating and sanitizing external responses, using scopes and permissions wisely, implementing timeouts and retries, sandboxing and testing integrations, monitoring for deprecations, monitoring usage and performance continuously, rate limiting requests, encrypting and storing responses securely, and building with intention are crucial to prevent security threats.