2025 Postman State of the API Report learnings

Every year, I look forward to Postman’s State of the API Report. For anyone who has built and scaled APIs, it’s more than an industry benchmark, it’s a reflection of how software, teams, and business models are evolving.

I began my career at D.E. Shaw, building and shipping APIs that powered trading systems. Later, at AppDynamics, I led our transition from a monolith to a microservices-based architecture, exposing thousands of APIs that connected every part of the product. Seeing this journey firsthand, it is remarkable to witness how APIs have evolved from niche integration points into the connective tissue of modern software.

The 2025 Postman report reinforces this shift. 69% of developers now spend more than 10 hours a week on API-related work, and over a quarter spend more than 20 hours. This effort spans continents, 43% of API work happens in Asia-Pacific and 30% in North America, which makes collaboration and consistency harder than ever.

APIs are no longer just technical plumbing or projects , but revenue-generating assets that help enterprises stay ahead, relevant and growing. 43% of API-first organizations generate more than 25% of their total revenue from APIs, and 20% generate more than 75%. Companies that design and manage APIs well are able to launch products faster, expand partnerships, and scale without adding headcount.

But there is another shift underway. API strategy is fast becoming AI strategy. APIs are no longer just powering applications; they’re powering AI agents. The report shows a 40% YoY growth in AI-related API calls, yet only 24% of developers design APIs with AI agents in mind. This marks a fundamental change in how APIs are used, tested, and secured.

Despite the growing investment, the core challenges remain the same: poor documentation, limited visibility, and fragmented testing practices. These issues have persisted across every edition of the report. Now, with AI agents interacting with APIs autonomously, these gaps are no longer just operational, they are existential. The API landscape stands at an inflection point where AI readiness will separate leaders from laggards.

At Levo.ai, we believe this moment calls for a new foundation. Let’s explore how the state of API collaboration and security has evolved, what the data tells us about persistent gaps, and why a runtime-informed, automated and continuous approach is necessary to secure APIs in the age of AI.

Five years of change: what has (and hasn’t) evolved 

Looking back at five years of Postman’s State of the API reports, the evolution of APIs mirrors the evolution of modern software itself. Architecture has changed. Development practices have shifted. APIs have moved from being integration utilities to the execution layer for digital business, and now, for AI systems.

Yet, for all the transformation, the same four problems persist: documentation debt, lack of visibility, collaboration gaps, and insufficient testing. Each year introduces new tooling and buzzwords, but these core issues remain stubbornly high across the reports.

The Macro Shifts (2021–2025)

Each year pushed APIs further into the center of the enterprise. But it also made the cracks more visible. As APIs scaled across regions and business units, documentation drift, poor testing coverage, and fragmented visibility became systemic.

Persistent Problems Across Reports

Across every State of the API report since 2021, one truth stands out: API growth has outpaced API understanding. The ecosystem has grown in scale, speed, and sophistication, but the fundamentals of how teams document, test, and collaborate have not kept up.

1. Documentation Debt

Developers still write and maintain documentation manually. It is slow, repetitive work that rarely makes it to the top of the sprint. The result is predictable: incomplete, inconsistent, and outdated documentation across most teams.

The 2025 Postman report shows:

• 58% of developers spend a significant part of their week managing documentation.
• 55% of teams struggle with inconsistency.
• 34% cannot even find existing APIs.
  

This gap is not just inconvenient; it is structural. When documentation is scattered across Confluence, Slack, wikis, and email threads, context gets lost. And when context is lost, developers rebuild what already exists, delaying releases, introducing duplication, and reducing ROI.

2. Lack of Visibility

As APIs multiplied across microservices, regions, and clouds, visibility failed to keep pace. Most organizations do not have a unified source of truth for what APIs exist, who owns them, or how they behave at runtime.

Documentation lives in silos, often disconnected from production reality. The result is a growing blind spot between what is documented and what is deployed. Without runtime visibility, teams cannot detect shadow APIs, understand dependencies, or respond quickly to security incidents.

This is not just an operational gap; it is a governance and security risk that scales with every release.

3. Collaboration Breakdowns

Even small, tightly knit teams report collaboration problems. The 2025 report shows that 93% of teams face blockers such as duplicated work, poor discovery, and outdated context.

The single-source-of-truth dilemma persists because API information is spread across too many systems. Specs in Confluence, feedback in Slack, examples in GitHub, and approvals buried in email each add friction.

The irony is clear. APIs were supposed to accelerate collaboration, but fragmented documentation has made cross-team work harder. What should be a shared system of record has become a scavenger hunt for knowledge.

4. Testing Maturity Gaps

Testing practices have improved in breadth but not in depth. Functional and integration tests are common, yet contract testing adoption remains low at 17%, and security testing sits at just 42%.

Developers spend more time debugging and retesting than automating. This not only slows releases but also undermines trust in API behavior, especially when machine consumers like AI agents depend on deterministic responses and stable contracts.

A Pattern That Never Broke

Even as new tools promised automation and insight, the core pain points barely moved. Documentation remained a bottleneck. Visibility did not scale with API volume. Collaboration stayed fragmented. Testing maturity flatlined.

The deeper story is this: the problem is not tooling, it is visibility. The methods we built for human-centric API consumption no longer work in a world where AI agents are chaining APIs autonomously and operating at machine speed.

How AI Agent Consumption intensifies current API Security Problems

API consumption has changed fundamentally.

For years, APIs were designed for human developers, with predictable usage, steady call volumes, and manageable rate limits. But that world is gone.

Today, APIs are being called not only by humans but also by AI agents, autonomous systems that act, decide, and integrate at machine scale, as affirmed by Postman’s 2025 State of the API Report. 

This shift changes everything!

51% of organizations have already deployed AI agents, with another 35% planning to do so within two years. Yet most APIs in production were never designed for this reality. They were built for human-scale consumption, not for systems that can operate continuously, in parallel, and autonomously.

And that is where the new set of risks begins.

AI Agents - The New Consumer

AI agents are not just tools; they are autonomous programs that read, interpret, and call APIs on their own. They parse documentation, reason over parameters, and issue requests without waiting for human confirmation.

While generative AI adoption is near universal, with 89% of developers now using AI in their daily work, only 24% design APIs with agents in mind. Within that 24%:

• 13% design equally for humans and agents
• 7% primarily design for agents
• 5% are transitioning
  

The mismatch is striking. It means most APIs remain human-friendly but machine-fragile. They assume interpretation, not automation. They depend on context humans infer naturally, context that AI agents must deduce mechanically.

This design gap defines the next phase of API evolution.The rise of AI agents has turned these old problems into new risks. When humans used APIs, they could compensate for gaps through intuition or tribal knowledge. Engineers could guess, experiment, or ask a colleague for help. AI agents can’t.

Why AI Agents Magnify API Problems like improper API Documentation

For an agent, API documentation is the entire world map. It doesn’t interpret intent; it interprets structure. It relies on precise OpenAPI or JSON schemas to construct requests, validate responses, and make decisions. If the schema is incomplete or inconsistent, the agent’s logic unravels.

An undocumented field can cause malformed requests. Missing error codes trigger infinite retries. Undefined rate limits can bring systems down. What once caused minor friction in human workflows can now create cascading failures in autonomous ones.

Without continuously accurate, runtime-synced documentation, AI-driven systems don’t scale, they stall. This is why documentation debt, visibility gaps, and testing blind spots have evolved from engineering headaches into enterprise risks.

APIs have already reshaped how businesses build and grow. But the arrival of AI as an API consumer means the foundation itself needs to change.

It is important to understand how this new class of API consumers, autonomous agents is redefining what security, governance, and trust must look like in a runtime-driven world.

What “Agent-Ready” Really Means

As agents consume APIs at scale, they also amplify every underlying weakness. Postman’s data shows:

• 51% of developers worry about unauthorized or excessive AI calls
• 49% fear agents accessing sensitive data
• 46% are concerned about credential leakage
  

These are not hypothetical risks. They stem from the way agents operate, with high-frequency parallelism, issuing thousands of requests per second.  While Applications were deterministic Apps with AI Agents are dynamic and non-deterministic, meaning the path is not coded in advance, it emerges at runtime, and hence any data-leak or breakdown happens in real time. 

Traditional security models, built for human-driven traffic, cannot handle this. They rely on static credentials, periodic anomaly checks, and predictable access patterns. But agents generate continuous, recursive, and machine-driven load. Without runtime visibility into whether a caller is human or agent, least-privilege enforcement collapses.

What was once a minor misconfiguration can now create system-wide exposure.

The Design Imperative: What “Agent-Ready” APIs Require

Being agent-ready means more than exposing an endpoint. It requires designing APIs that machines can understand, reason over, and use safely without human interpretation in the loop.

Key principles include:

• Machine-readable schemas with complete OpenAPI definitions, examples, and typed error codes.
• Predictable patterns for naming, status codes, authentication, and error handling.
• Context-rich documentation that explains not just how to call an endpoint, but when and why.
• Granular authentication and dynamic rate limiting designed for non-human, high-frequency access patterns.
• Robust error handling with typed responses and clear remediation paths so agents can recover deterministically.

When APIs lack these traits, teams end up building ad-hoc wrappers to make them usable for agents. Those wrappers leak secrets, create inconsistent behavior, and duplicate effort across organizations, a fragile substitute for proper design.

Standards Will Help, But They Will Not Save You

Some believe that new frameworks such as the Model Context Protocol (MCP) will solve these challenges. MCP is promising, offering a universal interface between AI models and real-world systems. But awareness has outpaced adoption.

Two-thirds of developers know about MCP, yet only 10% use it regularly, and 24% plan to explore it. That means AI agents are already calling your APIs, with or without MCP, and often without standardized safeguards.

Waiting for a universal protocol is not a strategy. Organizations must design for this new reality now, building APIs that are machine-consumable, secure, and predictable today. Whether MCP becomes the standard or another protocol replaces it, APIs that are agent-ready will be future-compatible by design.

The Road Ahead

This shift is both a challenge and an opportunity. APIs built for human comprehension are no longer enough. The next decade belongs to APIs that can serve two consumers simultaneously, humans who build, and agents who act.

Levo’s runtime platform addresses this dual reality. Levo automates both API documentation and security, enabling enterprises to coordinate teams around complex systems while protecting against AI-driven access risks.

Because as the world shifts to agent-driven operations, the winners will be those who make their APIs ready before the agents arrive.

How Levo turns API Security from a bottleneck into a growth enabler

At Levo.ai, we help teams make this shift effortlessly by automating both the security of APIs and the security of the agents that consume them.

We enable agent-ready, enterprise-secure APIs by embedding automation across every step, from discovery and documentation to security testing, monitoring and even runtime detection and protection.

Levo automatically distinguishes between human and agent traffic, enforces least privilege, applies dynamic rate limiting, and continuously validates credentials, all without slowing development. Instead of treating AI adoption as a risk, enterprises can now treat it as an advantage, scaling automation safely and confidently.

Because in this new reality, security cannot depend on human vigilance when the consumers are no longer human. It has to be built in: continuous, automated, and context-aware.

Deploy secure APIs and secure AI agents at scale with Levo, so your teams can innovate faster and realize the business gains of APIs and agents sooner.

1. Individual Developers: Focus on Building, Not Maintaining

Manual documentation has always been a lose-lose situation. Developers dislike doing it, security cannot rely on it, and it slows integration, testing, and revenue realization across teams.

Levo changes this equation by automating documentation generation from live traffic and automating security testing using runtime context.

Our eBPF-based sensors observe APIs directly at runtime, before encryption and across every environment to generate OpenAPI and Postman specs that reflect how APIs behave in production. Each spec includes over a dozen real parameters such as request and response schemas, authentication logic, rate limits, error patterns, and version histories, along with human readable descriptions generated from observed usage.

Because this visibility is continuous, documentation updates automatically with every deployment or configuration change. That means your documentation is always accurate, integration-ready, and aligned with your CI/CD velocity.

For developers, the benefits are immediate and measurable:

• More time coding, less time maintaining.
• Fewer manual tests and rework cycles.
• Higher sprint velocity and more features shipped per quarter.

Levo eliminates low-ROI manual work so developers can focus on what drives growth i.e. writing and deploying code.

2. Developer Teams: Unify Visibility and Collaboration

Postman’s reports repeatedly show that scattered documentation is one of the biggest blockers to team collaboration. When information lives in Confluence, Slack, wikis, and emails, developers lose context, duplicate work, and rebuild functionality that already exists.

Levo solves this by creating a unified API documentation and inventory portal: a single source of truth that captures live API behavior in real time. Every API, whether internal, external, or third-party, is automatically indexed and documented with 12+ runtime parameters.

Teams across time zones can instantly:

• Discover existing APIs
• Understand their capabilities
• Access accurate, real-time specs
• Reuse instead of rebuild

Documentation stays synchronized with code and deployments, eliminating drift and reducing scatter. Shared workspaces maintain context across specs, tests, and conversations.

For teams, this alignment delivers:

• Higher reuse and lower duplication
• Fewer dependencies and blockers
• Shorter release cycles and faster collaboration

Levo’s runtime inventory brings visibility and structure to the API sprawl, transforming chaos into clarity.

3. Engineering Leaders: Faster Time-to-Market and Competitive Edge

APIs drive real revenue, yet poor documentation, inconsistent testing, and fragmented visibility continue to delay monetization. Leaders face a constant trade-off between speed and security, i.e. shipping fast or securing thoroughly. Levo eliminates that compromise.

By automating documentation, continuous testing, and runtime security, Levo ensures that APIs remain accurate, compliant, and protected without slowing the pipeline. Security and compliance teams get continuous posture monitoring and governance, while developers maintain velocity.

For engineering and product leaders, the outcomes are tangible:

• Faster feature delivery without increasing risk
• Higher developer ROI and throughput
• Reduced operational drag and audit readiness by default

Leaders can now scale both developer output and AI adoption with confidence, knowing that every API in production remains visible, validated, and secure.

4. Dual Protection for Human and AI Consumers

The same runtime automation that keeps human developers productive also keeps AI agents safe. Levo identifies whether a caller is human or an AI agent, enforces least-privilege access, applies adaptive rate limits, and produces living documentation that AI agents can safely consume.

This dual protection ensures that both human-driven and machine-driven API traffic remain secure, compliant, and efficient.

Levo turns runtime behavior into continuously updated, living documentation: accurate, context-rich, and instantly usable across REST, GraphQL, gRPC, and SOAP. Your APIs stay ready for integration, your agents operate on truth, and your developers never trade speed for structure again.

The Levo Advantage

For enterprises, the impact compounds across all levels:

• Maximized Developer ROI: Developers focus on innovation, not maintenance.
• Unified Visibility: Teams discover, reuse, and collaborate seamlessly.
• Accelerated Time-to-Market: Leaders scale securely and launch faster.
• Agent-Ready Security: APIs are built for both humans and machines.
  

Levo turns documentation from a bottleneck into a multiplier, enabling teams to build like startups, scale like enterprises, and grow without friction.

Interested to learn more?

Visit Levo.ai or book a demo to see how runtime automation can make your APIs and your agents: secure, discoverable, and future-ready.

Beyond APIs: Securing the Agents That Call Them

APIs are no longer the only part of the system that needs protection. The actors consuming them, i.e., AI agents, LLMs, and orchestration layers,  now interact with APIs autonomously, at scale, and without human review. This shifts the security equation entirely.

Levo extends protection beyond the interface to secure the agents that invoke it, providing runtime visibility into agent-to-API interactions, detecting anomalous or high-risk behaviors, and enforcing adaptive controls to prevent misuse or credential leakage. The same continuous security foundation that protects your APIs now governs every AI call made through them.

We don’t just secure the interface; we secure the agents that call into it. Through modules like Runtime AI Visibility, AI Governance, AI Detection, AI Red Teaming, and AI Protection, Levo makes agent interactions auditable, explainable, and compliant. From mapping sensitive data flows between LLMs to detecting over-scoped access or simulating AI-driven attacks, Levo provides the guardrails enterprises need to scale AI safely.

Book a demo through this link to see it live in action!