DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Election/Restrictions
NO restrictions warranted at applicant’s initial time of filing for patent. 
Priority
Applicant claims NO foreign or domestic priority at initial time of filing for patent. 
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 09/03/2019, the submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Drawings
Applicant’s drawings filed on 09/03/2019 have been inspected and are in compliance with MPEP 608.02. 
Specification
Applicant’s specification filed on 09/03/2019 has been inspected and is in compliance with MPEP 608.01
Claim Objections
NO objections warranted at applicant’s initial time of filing for patent. 
Claim Interpretation – 35 USC 112th 6th or F
It is the opinion of the examiner that claim[s] 1 – 20 DO NOT invoke means for or step plus functional claim language under the meaning of the statute. 
Claim Rejections - 35 USC § 112
NO rejections warranted at applicant’s initial time of filing for patent. 
Double Patenting
NO rejections warranted at applicant’s initial time of filing for patent. 
Claim Rejections - 35 USC § 101
NO rejections warranted at applicant’s initial time of filing for patent. 
Claim Rejections - 35 USC § 102
NO rejections warranted at applicant’s initial time of filing for patent. 
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or non-obviousness.
Claim[s] 1, 7, 8, 12, 14, 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Weinzettl et al. [US PGPUB # 2020/0295922] in view of Karlsen et al. [US PGPUB # 2019/0052613]
As per claim 1. Weinzettl does teach a method [Weinzettl, paragraph: 0001, The present disclosure relates to data protection, and, more specifically, to protecting personal data during an individual application program interface (API) call] comprising:
obtaining input data for an application programming interface (API) [Weinzettl, paragraph: 0003, lines 2 – 8 , determining, in the API call, a plurality of field names, and identifying a first field name to search for a first instance of sensitive 
encrypting the input data for the API using a public key of a provider of the API [Weinzettl, paragraph: 0003, lines 8 – 13, The method also comprises, generating, in response to the identifying the first instance of sensitive information, a first encryption key and a first expiration, wherein the first encryption key is configured to encrypt the first instance of sensitive information.]; and 
transmitting to an API management server an API request that invokes the API, the API request including an API call for the API and the encrypted input data [Weinzettl, paragraph: 0003, lines 13 – 16, The method also comprises, encrypting the first instance of sensitive information, sending the API call to an application server, wherein the application server is configured to process the API call.], the API request in a format such that the API management server is capable of performing API management services based on the API call [Weinzettl, Figure # 2, and paragraph: 0036, 1 – 6, At operation 202, an API call is invoked. In some embodiments, the API call is invoked by a user/client through a computing device. In some embodiments, the API call occurs automatically. When invoked, the API call includes a set of data to be sent to the API provider, and instructions on how to process the data.] 
Weinzettl does not teach clearly…… but unable to decrypt the encrypted input data with the public key. 
However, Karlsen does teach….. but unable to decrypt the encrypted input data with the public key [Figure # 4 and paragraph: 415, the device access manager 115 decrypts the encrypted data sharing request 411. In response, at 420, the device access manager 115 sends a public key of the second device 125, referenced as 421. At 425, the first device 120 encrypts the data with the second device public key 421 to form a DPEF. 
 	Then at paragraph: 0046, At 430, the first device 120 encrypts the DPEF with the public key of the device access manager 115 and signs it to form a first encrypted message 431. At 435, the device access manager 115 decrypts the first encrypted message 431 and determines the DPEF is intended for the second device 125. At 440, the device access manager 115 encrypts the DPEF with the second device public key 421 to form a second encrypted message 426. The second encrypted message 426 is in the message queue 135. The second device 125 queries the message queue 135 for encrypted messages. In another example, the message queue 135 pushes encrypted messages to the second device 125. 
Then at paragraph: 0047, At 445, decrypts the second encrypted message 426 with its private key to reveal the DPEF. By decrypting at 445, the second device 125 also checks the identity of the device access manager 115 and identifies the intention of the message is to share data. At 450, the second device 125 decrypts the DPEF with its private key to reveal the data].
It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Weinzettl and 
As per claim 7. Weinzettl as modified does teach the method of claim 1, wherein the API management services include at least one of traffic control, management policy enforcement, and security policy enforcement [Karlsen, paragraph: 0052, Some examples of the device access manager 115 decide whether to provide data or not based a voting system. In one instance, the user 105 setups an access policy in such way that they must verify each data exchange. In this way, the user 105 is always asked to verify access to data and the device access manager 115 abstain from voting.].
As per non – transitory media claim 8 that includes the same or similar claim language as method claim 1, and is similarly rejected. 
***The examiner notes that applicant’s recited: “one or more non-transitory computer readable media,” and “one or more processors,” is taught by the prior art of Weinzettl at paragraphs: 0062, 0063 and paragraphs: 0064, 0067, respectively. 
As per claim 12. Weinzettl does teach the one or more computer-readable media of claim 8, wherein the operations further comprise encrypt client data to be part of the API request [Weinzettl, paragraph: 0003, lines 13 – 16, The method also comprises, encrypting the first instance of sensitive information, sending the API call to 
As per non – transitory media claim 14 that includes the same or similar claim language as method claim 7, and is similarly rejected. 

As per system claim 15 that includes the same or similar claim language as method claim 1, and is similarly rejected.
***The examiner notes that applicant’s recited: “one or more non-transitory computer readable media,” and “one or more processors,” is taught by the prior art of Weinzettl at paragraphs: 0062, 0063 and paragraphs: 0064, 0067, respectively. 
Claim[s] 2, 3, 9, 10, 16, 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Weinzettl et al. [US PGPUB # 2020/0295922] in view of Karlsen et al. [US PGPUB # 2019/0052613] as applied to claim[s] 1 above, and further in view of Sugihara et al. [US PGPUB # 2016/0094551]
As per claim 2. Weinzettl and Karlsen do teach what is taught in the rejection of claim #1 above. 
Weinzettl and Karlsen do teach clearly the method of claim 1, further comprising receiving, from the API management server, a response to the API request, the response to the API request including an output of the API based on the input data, the output encrypted by the API provider using a public key of a client.
However, Sugihara does teach the method of claim 1, further comprising receiving, from the API management server, a response to the API request, the response to the API request including an output of the API based on the input data, the output encrypted by the API provider using a public key of a client [paragraph: 0042, lines 11 – 15, In another example, a client may provide a key to API security manager module 150 for encrypting an additional authentication challenge that the client 102A later decrypts using a corresponding, but different key 108A. For example, client 102A may provide API security manager module 150 with a public key for encrypting data that client 102A decrypts using a private key 108A stored in a highly secure area 106A owned by an administrative user account.].
It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Weinzettl as modified and Sugihara in order for the monitoring of sensitive data and protection/encryption of sensitive data in the API call requests between a clients and an application server of Weinzettl as modified to include an additional encrypted authentication challenge of Sugihara. This would allow for only the client that possesses the decryption key to decrypt the additional authentication challenge to request or submit API request for data service, where the client responds to additional authentication challenge and forwards such authentication challenge to the application server for further processing and prevent cyber – attacks, such as man in the middle attacks. See paragraphs: 0015, and 0004 of Sugihara. 
As per claim 3. Weinzettl as modified does teach the method of claim 2, further comprising decrypting the response to the API request using a private key of the client [Sugihara, paragraph: 0042, lines 11 – 15, In another example, a client may provide a key to API security manager module 150 for encrypting an additional that client 102A decrypts using a private key 108A stored in a highly secure area 106A owned by an administrative user account.].
As per non – transitory media claim 9 that includes the same or similar claim language as method claim 2, and is similarly rejected. 

As per non – transitory media claim 10 that includes the same or similar claim language as method claim 3, and is similarly rejected.
 
As per system claim 16 that includes the same or similar claim language as method claim 2, and is similarly rejected.

As per system claim 17 that includes the same or similar claim language as method claim 3, and is similarly rejected.

Claim[s] 4, 11, 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Weinzettl et al. [US PGPUB # 2020/0295922] in view of Karlsen et al. [US PGPUB # 2019/0052613] as applied to claim[s] 1 above, and further in view of Byrd et al. [US PGPUB # 2012/0179907].
As per claim 4. Weinzettl and Karlsen do teach what is taught in the rejection of claim #1 above.
Weinzettl and Karlsen do teach clearly the method of claim 1, wherein the API request further includes unencrypted data components including a client identifier, an API provider identifier, and an API management authorization structure.
However, Byrd does teach the method of claim 1, wherein the API request further includes unencrypted data components including a client identifier, an API provider identifier, and an API management authorization structure [paragraph: 0035, lines 1 – 9, In the future, when the developer application sends a message request to the service provider computer system, the API platform receives the message request which includes the client ID [i.e. applicant’s client identifier] and a digital signature (encrypted) [i.e. applicant’s API provider identifier] created with the developer's private key. The API platform uses the received client ID to identify which public key to use to verify (decrypt) the private key used to sign the message [i.e. applicant’s API management authorization structure]. The API platform uses the client ID and the public key stored within the API memory device, to verify the message.].
It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Weinzettl as modified and Byrd in order for the distribution of requested service data by an application server to various types of client API requests of Weinzettl as modified to include considering certificate signing requests from developers of various API interfaces of Byrd. This would allow for the application server to be accessed and provisioned by multiple different API developers in a dynamic manner in real time by developer registration requests. See paragraph: 0009 of Byrd. 
As per non – transitory media claim 11 that includes the same or similar claim language as method claim 4, and is similarly rejected. 

As per system claim 18 that includes the same or similar claim language as method claim 4, and is similarly rejected.

Claim[s] 5, 19  is/are rejected under 35 U.S.C. 103 as being unpatentable over Weinzettl et al. [US PGPUB # 2020/0295922] in view of Karlsen et al. [US PGPUB # 2019/0052613] as applied to claim[s] 1 above, and further in view of Kanemitsu [US PGPUB # 2009/0310776].
As per claim 5.   Weinzettl and Karlsen do teach what is taught in the rejection of claim #1 above.
Weinzettl and Karlsen do teach clearly the method of claim 1, further comprising encrypting developer data to be part of the API request, the developer data provided by a developer prior to obtaining the input data.
However, Kanemitsu does teach the method of claim 1, further comprising encrypting developer data to be part of the API request, the developer data provided by a developer prior to obtaining the input data [paragraph: 0079, lines 3 – 7, In particular, by encrypting the segment including the API call instruction, the manufacturer of the installation package 2 can efficiently prevent illegal copy or imitation of the computer program included in the installation package 2.]. 
It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Weinzettl as modified and Kanemitsu in order for the monitoring of sensitive data and 
As per system claim 19 that includes the same or similar claim language as method claim 5, and is similarly rejected.

Claim[s] 6, 13, 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Weinzettl et al. [US PGPUB # 2020/0295922] in view of Karlsen et al. [US PGPUB # 2019/0052613] as applied to claim[s] 1 above, and further in view of Cross et al. [US PGPUB # 2004/0143736]
As per claim 6. Weinzettl and Karlsen do teach what is taught in the rejection of claim #1 above. 
Weinzettl and Karlsen do teach clearly the method of claim 1, wherein the public key of the provider is embedded within a computer program generating the API request such that the encryption of the input data occurs without user input.
However, Cross does teach the method of claim 1, wherein the public key of the provider is embedded within a computer program generating the API request such that the encryption of the input data occurs without user input [paragraph: 0078, lines 4 – 16, Generally, applications that are not DRM-aware or that Application Programming Interfaces (APIs) to save the file, append to the file, modify a block of the file content, and so forth. The file system performs a callout to an abstraction layer (e.g., an EFS module, part, driver, etc. in FIGS. 6 and 7) to examine the content and determine if it contains one or more tags that indicate that it is or should be protected by the DRM functionality. If the content is tagged with DRM attributes for DRM content controls, the abstraction layer acts on behalf of the application to call the DRM client APIs to obtain a license, encrypt the content, and so forth.].
 It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Weinzettl as modified and Cross in order for the monitoring of sensitive data and protection/encryption of sensitive data in the API call/requests between a clients and an application server of Weinzettl as modified to include digital rights management structure of Cross. This would allow for the application server to enforce control/restrictions on service data requested by the client API call/request. See paragraph: 0003 of Cross. 
As per non – transitory media claim 13 that includes the same or similar claim language as method claim 6, and is similarly rejected. 

As per system claim 20 that includes the same or similar claim language as method claim 6, and is similarly rejected.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Schenkein does teach determining that a data field of API response data satisfies a condition for applying a data security operation to data stored in the data field; and modifying the API response data by performing the data security operation on the data stored in the data field.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DANT SHAIFER - HARRIMAN whose telephone number is (571)272-7910.  The examiner can normally be reached on M - F: 9am to 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571- 272- 3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private 
/DANT B SHAIFER HARRIMAN/Primary Examiner, Art Unit 2434