The rapid adoption of cloud-native applications has led to the widespread use of microservices architecture, where complex systems are decomposed into independently deployable services that communicate primarily through application programming interfaces (APIs). While this architectural paradigm improves scalability, flexibility, and development agility, it also significantly expands the system’s attack surface, making API security a critical challenge in distributed environments. In particular, issues related to authentication, authorisation, service-to-service trust, and API abuse become more complex as security controls are decentralised across multiple services and networks. This project investigates the design and implementation of secure API and authentication strategies tailored for distributed microservice systems. A security-by-design methodology was adopted, integrating protection mechanisms at multiple architectural layers, including an API gateway, identity and access management service, and individual microservices. Token-based authentication using OAuth 2.0 and JSON Web Tokens (JWT) was implemented to enable stateless, scalable identity verification, while fine-grained role- and scope-based authorisation was used to enforce the principle of least privilege. Additionally, a zero-trust communication model was applied to internal service interactions, ensuring that all requests—whether external or internal—were explicitly authenticated and authorised. The proposed architecture was evaluated under realistic medium-scale workloads over an extended testing period, simulating both normal operational traffic and adversarial scenarios such as token misuse, replay attacks, unauthorised access attempts, and request flooding. Quantitative results demonstrate that the system achieved high authentication accuracy, effectively blocking the vast majority of unauthorised requests while maintaining acceptable latency under peak load conditions. Authorisation mechanisms successfully prevented privilege escalation and lateral movement between services, even when internal service identities were assumed to be compromised. The API gateway played a pivotal role in reducing backend exposure to malicious traffic, and rate-limiting controls ensured service availability during high-volume request bursts. Overall, the findings confirm that secure API design, when combined with robust authentication, fine-grained authorisation, and zero-trust principles, can significantly enhance the security and resilience of distributed microservices systems without imposing prohibitive performance overhead. This study provides a practical, validated framework that can guide the development of secure microservices-based applications in real-world cloud environments.