Systems and methods for authenticating requests to use an Application Programming Interface (“API”) are described. In some embodiments, a request to use an API is received. Based on a comparison of the request to use the API with a pattern of activity associated with the client, a determination is made whether the client deviates from an expected behavior. Once a determination that the client deviates from the expected behavior is made, an authentication challenge is generated and issued. In some embodiments, the comparison of the request to use the API with a pattern of activity involves comparing transactional attributes of the request to use the API with past client behavior.