A first network device receives a token request from an application and, in response, generates a token that includes a time-stamp and a server identifier. The server identifier indicates a particular proxy server, of a group of proxy servers, in an API management layer. A second network device receives, from an application, an API call that includes the token and validates the token. The second network device routes the API call to the particular proxy server indicated by the token in response to successfully validating the token. The first network device or second network device provides a bypass uniform resource locator (URL), to the application, to bypass the API management layer, for one or more types of designated API calls.