We use Apigee's Edge product. It provides API management tools like authentication, authorization, rate limiting, etc before the request hits your actual API. Its a pretty good product, if that isn't your core competency.
It's not a lot of people's core competency, which is exactly what makes API gateways so useful.
This way anyone can write some half-baked endpoint that returns some JSON, and you put Apigee or any of its competitors in front of it, taking care of the hard stuff like authorization, rate limiting, etc, without which you can have a really rough time.
Auth is a routine job, only a really silly developer manages to make simple token auth vulnerable. There's no a "tradeoff" in leaving auth to MitM because it's "hard", oh also there's bunch of libraries out there doing it for you on your servers.