It was found that 3scale's APIdocs does not validate the access token in the case of invalid token; instead it uses session auth. This conceivably bypasses access controls and permits viewing unauthorized information.