Identity and Access Management for AI AgentsRead blog post!
Takeaways From the 2025 Nordic APIs Platform Summit

I’ve attended Nordic APIs’Platform Summit a few times, even before my time at Curity, but this year felt a bit different. It was still the same time and place — mid-fall in Stockholm in the halls of hotel Clarion, which offers unique views of the city (for those of you who haven’t been there, or maybe did not notice: the hotel is built on top of an entry to a highway tunnel and offers a nice view of the disappearing road and a part of the Stockholm archipelago).

image2

To me, two reasons made this year’s experience exceptional:

  • The conference was accompanied by a half-day unconference focusing on API security.

  • You could not hide from hearing about the new cool kid on the block — Model Context Protocol (MCP).

The API Security Unconference

An unconference is a great platform for exchanging experiences, sharing knowledge, and learning. Unlike a “regular” conference, an unconference has no designated speakers — everyone is an attendee — and there is no fixed agenda; the attendees choose the topics they want to discuss during the day. In my opinion, this worked really well. We managed to get some good discussions, where people actively shared their experiences or challenges.

Some conversations did not reach any specific conclusions, but they allowed us to confirm that all the participants deal with similar issues and have similar reservations — this in itself can be reassuring, even if it is not immediately helpful. But there were also sessions that allowed people to learn a lot. For example, we had a very good discussion on API authorization patterns. The person who started it wanted to learn about modern, scalable approaches to API authorization and got exactly that — there were attendees who work with the OpenID Foundation on the AuthZen project, who were able to share their knowledge and present different approaches.

The unconference was a great place to network — it made it easy to meet new people and have great discussions. I recommend trying this format to anyone who finds hallway discussions at conferences an important part of the experience. I’m really glad that Nordic APIs has already announced that there will be another edition next year.

Platform Summit

The conference itself stuck to its well-established format with opening and closing keynotes and breakout sessions in one-hour-long blocks. Each block ended with a joint Q&A which acted as a mini-panel with speakers from the block’s talks. The 20-minute limit for a single talk is enough to get the most important information distilled.

And it turns out that 20 minutes were enough to squeeze MCP into almost every talk, even if not directly mentioned in the title. Apparently, people were placing bets on whether they would manage to attend a talk in which MCP was not mentioned. I don’t know if that really happened, but I know I have been to a few talks that didn’t mention MCP.

Model Context Protocol Taking the API World By Storm

I have never seen a technology or specification become such a buzz like MCP this year. Even in the early days of GraphQL, people were talking a lot about it, but it wasn’t as ubiquitous as MCP currently is. And MCP is just one year old! To illustrate what I mean — MCP was covered so much, that I felt sorry for my listeners that I added an “MCP explainer” slide to my talk, which was in the afternoon of the second day.

I think the reason for this is that MCP can affect APIs from so many different angles:

  • An MCP server is an API in itself, protected by OAuth, and you can focus on the security of its connection to the MCP client.

  • You can focus on the authorization requirements of APIs that will be consumed by MCP servers’ tools.

  • You can focus on how to design and document your APIs so that they can be more easily consumed by MCP servers.

  • You can view all the above topics from two perspectives — external customers and enterprise (workforce). Both of them have different challenges and available solutions.

  • You can talk about how MCP servers can help you with the design, development, testing, or management of APIs.

Even though MCP dominated the discourse, it wasn’t the only thing people presented at the conference.

API Security is as Important as Ever

API security is still a popular topic. It is good, as it proves that we understand its importance. On the other hand, it also shows that we need to continue talking about it to get even more people to think about security first (and get authorization issues off the top of the OWASP list).

I always enjoy security talks, as they allow me to expand, or at least consolidate, my knowledge. Being physically at the talk also allows me to better concentrate on the content, unlike reading an article online.

I especially enjoyed a talk by Roger Bergling on hacking APIs, where he showed a number of tools useful for checking the resilience of your APIs. It was both enjoyable and disturbing to see that it takes seconds to crack a JWT signed with a weak symmetric key. This is exactly why at Curity we have been discouraging people from symmetrically signing JWTs for a long time now.

Platform Summit as a Technology Radar

Another reason I like conferences is that you can learn a lot. Of course, I try to follow trends and news around APIs and API security, but sometimes things slip under the radar. And, also quite obviously, I can’t just sit in front of a web search engine and start to search for the things I don’t know. After every conference I go to, I come back with a list of at least a few technologies or specifications and usually around a dozen tools or vendors I want to check out.

Here are the things that caught my interest at the Platform Summit that I’d like to learn more about:

  • Fuzzy testing of APIs, which means using algorithms to automatically generate tests that try to break your APIs in creative ways.

  • Event Destinations specification, which tries to enhance interoperability in event-driven systems.

  • I first learned about TypeSpec in 2024, and it was nice to see more talks about it this year, even though I still confuse the name with TypeScript… I hope to try it out with the next API I will design.

  • I already mentioned the talk about hacking APIs, and it mentioned a lot of tools I hope to play around with.

  • SAFE-MCP, a security analysis framework for MCP.

Learning From Real-Life Experiences

I mentioned how the unconference is a great place to learn from others’ experiences, but of course, the “regular” conference had no shortage of educational talks.  It’s always appreciated when speakers share their journey, so you can either find guidance in how you should approach a similar problem, or what to avoid. This might be why I kept hearing in hallway conversations that one of the most interesting talks at the conference was about an API governance journey in a very large and old insurance company.

Sometimes, the thing you learn might not even be the main topic of the session. For me, the most interesting part of the talk on combining Webhooks and REST, was learning about the architecture of a mostly air-gapped system that runs on an airplane to process sales. How it uses an onboard web server to host a website for passengers, and connects to point-of-sale terminals. It was interesting to hear about some other architecture than a simple web server exposed on the internet.

image3

Conclusion

I enjoyed this year’s Platform Summit a lot, and I’m really glad that Nordic APIs has already announced the dates for next year: 12-14 October 2026. I hope I will be able to join both the unconference and the main event.

I am curious to see how MCP will evolve and how the worlds of AI and APIs will work together. At Curity, we have been working with it a lot recently. This is why we have just set up a dedicated AI Lab, where we will develop AI agents and reference API architectures that can interact safely with them, either via MCP, or any protocol that emerges. Keep an eye on our blog and website, as we will share our insights as we progress.

If you are curious about this year’s Platform Summit talks, or you have been there and want to refresh or share some with your colleagues, then head down to the Nordic APIs YouTube channel. You will find this year’s recordings there soon, but you can already enjoy all the sessions from previous years. 

BlogView all tags

Join The Discussion

Follow @curityio on X and Bluesky

Next steps

Ready for the Next Generation of IAM?

Build secure, flexible identity solutions that keep pace with innovation. Start today.

Free trial icon representing Start a free trial

Start a Free Trial

Calendar icon representing Book a Call

Book a Call

User with a computer icon representing Speak to an Identity Specialist

Speak to an Identity Specialist

Book icon representing Explore learning resources

Explore learning resources