What are the best practices for designing scalable and secure APIs?

When it comes to API design, what are some best practices you follow to ensure they are scalable, maintainable, and secure? I’ve heard a lot about structuring resources, avoiding over-fetching, and securing endpoints, but I’m curious about how you approach this. Do you follow a specific process or set of rules for API design?