A system that intercepts and analyzes application program interface (API) traffic, identifies correlations between components of API traffic, and uses those correlations to detect anomalous behaviors. API traffic, including requests and responses, is intercepted and analyzed to identify correlations in the API traffic. The correlations may be based on API traffic and can include a sequence of APIs, parameters passed between earlier and subsequent APIs, user roles within a user session and APIs accessed by the user roles, and other correlations. Correlation data for user sessions is generated and stored, and later compared to subsequent user session traffic. If the subsequent user session traffic does not comply with the correlations detected in earlier user sessions, an anomaly may be triggered.