Agoda Universal MCP, Moltbook API Keys Leak, Radware + Pynt
The API Changelog issue 2026.05
This is issue 2026.05 of the API Changelog, a mix of API news, commentary, and opinion. In this issue, you'll get to know the most relevant API-related information from the week of January 26, 2026. Subscribe now so you never miss an issue of the API Changelog.
This issue of the API Changelog is sponsored by Jentic:
Jentic’s AI‑readiness scorecard gives teams a fast, standards‑aligned view of how usable an API is for agents. It surfaces gaps in summaries, examples, error handling, and auth that block reliable automation, and prioritises the improvements that raise both developer experience and agent success. Use it to benchmark APIs, align teams on readiness, and keep control as AI systems become the dominant API consumers.
Looking back at the end of January 2026, it feels like one of those moments where several threads in the API economy quietly tied themselves together. Not with a single breakthrough announcement, but through a series of moves that all point in the same direction: it looks like we’re finally stepping away from fragmented systems and toward more unified, intelligent ecosystems.
Radware’s acquisition of Pynt and Agoda’s release of its Universal MCP API Agent are good examples of this shift. For years, we treated security as something bolted on after the fact, and integrations as bespoke, manually wired projects. What’s changing now is where those concerns live. Security is being pulled directly into the API lifecycle, reducing the gap between design and protection. At the same time, tools like Agoda’s MCP agent hint at a future where interacting with APIs is no longer about writing glue code, but about letting AI systems discover and reason about capabilities on our behalf. Less manual labor, fewer brittle connections, and a steady move toward systems that are secure by default.
A similar pattern shows up when you look at finance and trading. APIs in this area are no longer just pipes for moving data around. They’re becoming active participants in how markets operate. The partnership between GFT and Ozone API feels like a long-overdue step for Open Banking in Canada, finally providing the kind of shared framework that makes seamless data exchange and payments realistic at scale. In parallel, Axis Quant AI is using high-speed API integrations to bring institutional-grade algorithmic trading into the crypto world. Different domains, same idea: APIs acting as the connective tissue that allows complex models and financial services to operate with the speed and precision modern markets expect.
Put together, these stories reinforce something that’s becoming hard to ignore. The “API-first” world is steadily turning into an “AI-first” one. APIs are being redesigned with machines as the primary consumers, not just developers. Whether it’s LLMs discovering data sources or autonomous trading systems executing decisions in milliseconds, the infrastructure underneath is shifting toward machine-to-machine interaction. The extreme of this “AI-first” paradigm is Moltbook, a social network for AI Agents that has been recently launched. The idea is that your agents can sign up and collaborate by asking questions, sharing ideas, and even working together on complex tasks, eventually. Unfortunately, it got in the news for all the wrong reasons. It looks like Moltbook had a vulnerability that would let anyone access agents’ API keys.
Speaking of vulnerabilities and AI, Wallarm announced a major expansion of its platform and leadership team to address the "structural change" in security caused by the convergence of APIs and AI. The company is scaling its operations to meet a 270% surge in risks associated with the Model Context Protocol (MCP) and other AI-driven interfaces. MCP Jail, for example, is its open-source response to the access many MCP servers have to sensitive information. According to Wallarm, from a total of 501 MCP servers, “nearly every server can steal your credentials, exfiltrate your code, or backdoor your system.”
Back to less dramatic things, AsyncAPI announced the release of version 3.1.0. New features include ROS 2 protocol bindings and major tooling updates to the latest versions of their dependencies. ROS 2 support is rather interesting, in the context I was sharing before, because ROS stands for Robot Operating System. In fact, and according to the official documentation, it’s “a set of software libraries and tools for building robot applications. From drivers and state-of-the-art algorithms to powerful developer tools, ROS has the open source tools you need for your next robotics project.” ROS is one of the most used robotics standards, by the way, with organizations like BMW, Boeing, Caterpillar, John Deere, using it (see full list). Being able to use AsyncAPI in robotic solutions feels, to me, like a major breakthrough.
As you can see, there’s a trend here. APIs are no longer just technical artifacts we document and hand off. They’re becoming strategic assets: enforcing compliance by design, enabling automation by default, and increasingly shaping how value is created and exchanged. If, in the past, it was all about exposing capabilities, the future looks like it will be about letting intelligent systems actually use them.
See you next week!