DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant’s remarks filed on 11/03/2021 have been considered. 
Regarding claim[s] 1 – 20 under the various obviousness rejections, applicant’s remarks are moot because the new ground of rejection does not rely on all of the references applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Therefore, see the examiner’s response to such remarks in the office action below. 
The examiner will address all other remarks that do not concern the prior art rejections, If any, in the office action below. 
Applicant states on page[s] 7 of the remarks as filed: “The Office Action relies primarily on Weinzettl as allegedly teaching the elements of the independent claims, with Karlsen teaching what Weinzettl is lacking. Further, the Office Action acknowledges that both Weinzettl and Karlsen fail to teach the elements of claim 5 and instead cites Kanemitsu as allegedly teaching the elements of claim 5.

Kanemitsu relates to a method of information concealment. Abstract. The claims as amended include encrypting predetermined data prior to obtaining input data. The predetermined data may include API access information and encryption information, as described in paragraph[0042] of the current application. Although Kanemitsu discusses “encrypting the segment including the API call instruction, the manufacturer of the 
of “encrypting predetermined data to be part of an application programming interface (API) request, the predetermined data provided by a developer prior to obtaining input data, the= predetermined data including API access information and encryption information” as recited in the claims. Therefore, Kanemitsu fails to teach, suggest, or otherwise disclose the above-quoted recitations. ”

	In response the examiner isn’t persuaded, the examiner points to the prior art of Kanemitsu. Specifically, at paragraph: 0034, The product package 1 includes the installation package 2, an electronic signature 3, a common key 4, and a control table 5.
	Where at paragraph: 0036, lines 1 – 4, The installation package 2 is split into a plurality of segments. The segments each comprise an encryption segment 6 and a non-encryption segment 7. The encryption segment 6 is encrypted by a common key cryptosystem.
	Where at paragraph: 0040, lines 1 – 3, In the product package 1, the electronic signature 3, the common key 4 [i.e. applicant’s encryption information], and the control table 5 [i.e. applicant’s API access information] are encrypted by a public key cryptosystem.
	Where at paragraph: 0079, lines 3 – 7, In particular, by encrypting the segment including the API call instruction, the manufacturer of the installation package 2 can efficiently prevent illegal copy or imitation of the computer program included in the installation package 2.
S9, and paragraph: 0065, Subsequently, the product conversion processing section 26 generates the product package 1 by encrypting the electronic signature 3, the common key 4 [i.e. applicant’s encryption information], and the control table 5 [i.e. applicant’s API access information] by the public key cryptosystem. The product conversion processing section 26 performs a compression processing on the entire product package 1. The compressed product package 1 is then outputted to the recording medium such as an optical disk through the information output section 12 (Step S9: product conversion step). [i.e. applicant’s the predetermined data provided by a developer prior to obtaining input data].
***The examiner’s response above applies equally to the same or similar remarks made on page[s] 6 – 8, regarding claim[s] 8 and 15 of the remarks as filed. 
Response to Amendment
Status of the instant application:
Claim[s] 5 and 19 have been cancelled. 
Regarding claim[s] 5 and 19 under an obviousness rejection, applicant’s cancellation of the claim[s] have been considered, therefore, the rejections are withdrawn. 
Regarding claim[s] 1 – 4, 6 – 18, 20 under the various obviousness rejections, applicant’s claim amendments have been considered, therefore, the rejections are However, there are new prior art rejections on the claims to address applicant’s newly added claim amendments. See the office action below.  
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or non-obviousness.
Claim[s] 1, 7, 8, 12, 14, 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Weinzettl et al. [US PGPUB # 2020/0295922] in view of Karlsen et al. 
As per claim 1. Weinzettl does teach a method [Weinzettl, paragraph: 0001, The present disclosure relates to data protection, and, more specifically, to protecting personal data during an individual application program interface (API) call] comprising:
obtaining the input data for an API [Weinzettl, paragraph: 0003, lines 2 – 8 , determining, in the API call, a plurality of field names, and identifying a first field name to search for a first instance of sensitive information. The method also comprises, identifying a first instance of sensitive information in the first field name, wherein the first instance of sensitive information is identified by pattern matching.]; 
encrypting the input data for the API using a public key of a provider of the API [Weinzettl, paragraph: 0003, lines 8 – 13, The method also comprises, generating, in response to the identifying the first instance of sensitive information, a first encryption key and a first expiration, wherein the first encryption key is configured to encrypt the first instance of sensitive information.]; and 
transmitting to an API management server the API request that invokes the API, the API request including an API call for the API and the encrypted input data [Weinzettl, paragraph: 0003, lines 13 – 16, The method also comprises, encrypting the first instance of sensitive information, sending the API call to an application server, wherein the application server is configured to process the API call.], the API request in a format such that the API management server is capable of performing API management services based on the API call [Weinzettl, Figure # 2, and paragraph: 
Weinzettl does not teach clearly…… but unable to decrypt the encrypted input data with the public key. 
However, Karlsen does teach….. but unable to decrypt the encrypted input data with the public key [Figure # 4 and paragraph: 415, the device access manager 115 decrypts the encrypted data sharing request 411. In response, at 420, the device access manager 115 sends a public key of the second device 125, referenced as 421. At 425, the first device 120 encrypts the data with the second device public key 421 to form a DPEF. 
 	Then at paragraph: 0046, At 430, the first device 120 encrypts the DPEF with the public key of the device access manager 115 and signs it to form a first encrypted message 431. At 435, the device access manager 115 decrypts the first encrypted message 431 and determines the DPEF is intended for the second device 125. At 440, the device access manager 115 encrypts the DPEF with the second device public key 421 to form a second encrypted message 426. The second encrypted message 426 is in the message queue 135. The second device 125 queries the message queue 135 for encrypted messages. In another example, the message queue 135 pushes encrypted messages to the second device 125. 
At 445, decrypts the second encrypted message 426 with its private key to reveal the DPEF. By decrypting at 445, the second device 125 also checks the identity of the device access manager 115 and identifies the intention of the message is to share data. At 450, the second device 125 decrypts the DPEF with its private key to reveal the data].
It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Weinzettl and Karlsen in order for the monitoring of sensitive data and protection/encryption of sensitive data in the API call/requests between a clients and an application server of Weinzettl to include device public encrypted file [DPEF] of Karlsen. This would allow for the application server to identify clients in involved in the API request/exchange/encryption of service data by verifying the digital certificate of the clients in an automated manner. See paragraph: 0021, lines 6 – 9 of Karlsen. 
	Weinzettl and Karlsen do not teach clearly encrypting predetermined data to be part of an application programming interface (API) request, the predetermined data provided by a developer prior to obtaining input data, the
predetermined data including API access information and encryption information. 
	However, Kanemitsu does teach encrypting predetermined data to be part of an application programming interface (API) request, the predetermined data provided by a developer prior to obtaining input data, the
predetermined data including API access information and encryption information [paragraph: 0034, The product package 1 includes the installation package 2, an electronic signature 3, a common key 4, and a control table 5.
	Where at paragraph: 0036, lines 1 – 4, The installation package 2 is split into a plurality of segments. The segments each comprise an encryption segment 6 and a non-encryption segment 7. The encryption segment 6 is encrypted by a common key cryptosystem.
	Where at paragraph: 0040, lines 1 – 3, In the product package 1, the electronic signature 3, the common key 4 [i.e. applicant’s encryption information], and the control table 5 [i.e. applicant’s API access information] are encrypted by a public key cryptosystem.
	Where at paragraph: 0079, lines 3 – 7, In particular, by encrypting the segment including the API call instruction, the manufacturer of the installation package 2 can efficiently prevent illegal copy or imitation of the computer program included in the installation package 2.
	Where at Figure # 4, steps: S1 - S5, and S7 – S9, and paragraph: 0065, Subsequently, the product conversion processing section 26 generates the product package 1 by encrypting the electronic signature 3, the common key 4 [i.e. applicant’s encryption information], and the control table 5 [i.e. applicant’s API access information] by the public key cryptosystem. The product conversion processing section 26 performs a compression processing on the entire product package 1. The compressed product package 1 is then outputted to the recording medium such as an optical disk through the information output section 12 (Step S9: product conversion step). [i.e. applicant’s the predetermined data provided by a developer prior to obtaining input data]]. 
It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Weinzettl as modified and Kanemitsu in order for the monitoring of sensitive data and protection/encryption of sensitive data in the API call requests between a clients and an application server of Weinzettl as modified to include an information concealment method of Kanemitsu. This would allow for the sensitive information identified of the API call/request to be encrypted in a manner that reduces the number of computation cycles to encrypt such sensitive data by software on the client and or application server. See paragraphs: 0007, 0009 of Kanemitsu. 
As per claim 7. Weinzettl as modified does teach the method of claim 1, wherein the API management services include at least one of traffic control, management policy enforcement, and security policy enforcement [Karlsen, paragraph: 0052, Some examples of the device access manager 115 decide whether to provide data or not based a voting system. In one instance, the user 105 setups an access policy in such way that they must verify each data exchange. In this way, the user 105 is always asked to verify access to data and the device access manager 115 abstain from voting.].
As per non – transitory media claim 8 that includes the same or similar claim language as method claim 1, and is similarly rejected. 
***The examiner notes that applicant’s recited: “one or more non-transitory computer readable media,” and “one or more processors,” is taught by the prior art of Weinzettl at paragraphs: 0062, 0063 and paragraphs: 0064, 0067, respectively. 
As per claim 12. Weinzettl does teach the one or more computer-readable media of claim 8, wherein the operations further comprise encrypt client data to be part of the API request [Weinzettl, paragraph: 0003, lines 13 – 16, The method also comprises, encrypting the first instance of sensitive information, sending the API call to an application server, wherein the application server is configured to process the API call].
As per non – transitory media claim 14 that includes the same or similar claim language as method claim 7, and is similarly rejected. 

As per system claim 15 that includes the same or similar claim language as method claim 1, and is similarly rejected.
***The examiner notes that applicant’s recited: “one or more non-transitory computer readable media,” and “one or more processors,” is taught by the prior art of Weinzettl at paragraphs: 0062, 0063 and paragraphs: 0064, 0067, respectively. 
Claim[s] 2, 3, 9, 10, 16, 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Weinzettl et al. [US PGPUB # 2020/0295922] in view of Karlsen et al. [US PGPUB # 2019/0052613] and Kanemitsu [US PGPUB # 2009/0310776] as applied to claim[s] 1 above, and further in view of Sugihara et al. [US PGPUB # 2016/0094551]
As per claim 2. Weinzettl and Karlsen and Kanemitsu do teach what is taught in the rejection of claim #1 above. 
Weinzettl and Karlsen and Kanemitsu do not teach clearly the method of claim 1, further comprising receiving, from the API management server, a response to the API request, the response to the API request including an output of the API based on the input data, the output encrypted by the API provider using a public key of a client.
However, Sugihara does teach the method of claim 1, further comprising receiving, from the API management server, a response to the API request, the response to the API request including an output of the API based on the input data, the output encrypted by the API provider using a public key of a client [paragraph: 0042, lines 11 – 15, In another example, a client may provide a key to API security manager module 150 for encrypting an additional authentication challenge that the client 102A later decrypts using a corresponding, but different key 108A. For example, client 102A may provide API security manager module 150 with a public key for encrypting data that client 102A decrypts using a private key 108A stored in a highly secure area 106A owned by an administrative user account.].
It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Weinzettl as modified and Sugihara in order for the monitoring of sensitive data and protection/encryption of sensitive data in the API call requests between a clients and an application server of Weinzettl as modified to include an additional encrypted authentication challenge of Sugihara. This would allow for only the client that possesses the decryption key to decrypt the additional authentication challenge to request or submit API request for data service, where the client responds to additional authentication challenge and forwards such authentication challenge to the application server for further processing and prevent cyber – attacks, such as man in the middle attacks. See paragraphs: 0015, and 0004 of Sugihara. 
As per claim 3. Weinzettl as modified does teach the method of claim 2, further comprising decrypting the response to the API request using a private key of the client [Sugihara, paragraph: 0042, lines 11 – 15, In another example, a client may provide a key to API security manager module 150 for encrypting an additional authentication challenge that the client 102A later decrypts using a corresponding, but different key 108A. For example, client 102A may provide API security manager module 150 with a public key for encrypting data that client 102A decrypts using a private key 108A stored in a highly secure area 106A owned by an administrative user account.].
As per non – transitory media claim 9 that includes the same or similar claim language as method claim 2, and is similarly rejected. 

As per non – transitory media claim 10 that includes the same or similar claim language as method claim 3, and is similarly rejected.
 
As per system claim 16 that includes the same or similar claim language as method claim 2, and is similarly rejected.

As per system claim 17 that includes the same or similar claim language as method claim 3, and is similarly rejected.

Claim[s] 4, 11, 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Weinzettl et al. [US PGPUB # 2020/0295922] in view of Karlsen et al. [US PGPUB # 2019/0052613] and Kanemitsu [US PGPUB # 2009/0310776] as applied to claim[s] 1 above, and further in view of Byrd et al. [US PGPUB # 2012/0179907]
As per claim 4. Weinzettl and Karlsen and Kanemitsu do teach what is taught in the rejection of claim #1 above.
Weinzettl and Karlsen and Kanemitsu do not teach clearly the method of claim 1, wherein the API request further includes unencrypted data components including a client identifier, an API provider identifier, and an API management authorization structure.
However, Byrd does teach the method of claim 1, wherein the API request further includes unencrypted data components including a client identifier, an API provider identifier, and an API management authorization structure [paragraph: 0035, lines 1 – 9, In the future, when the developer application sends a message request to the service provider computer system, the API platform receives the message request which includes the client ID [i.e. applicant’s client identifier] and a digital signature (encrypted) [i.e. applicant’s API provider identifier] created with the developer's private key. The API platform uses the received client ID to identify which public key to use to verify (decrypt) the private key used to sign the message [i.e. applicant’s API management authorization structure]. The API platform uses the client ID and the public key stored within the API memory device, to verify the message.].
It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Weinzettl as modified and Byrd in order for the distribution of requested service data by an application server to various types of client API requests of Weinzettl as modified to include considering certificate signing requests from developers of various API 
As per non – transitory media claim 11 that includes the same or similar claim language as method claim 4, and is similarly rejected. 

As per system claim 18 that includes the same or similar claim language as method claim 4, and is similarly rejected.

Claim[s] 6, 13, 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Weinzettl et al. [US PGPUB # 2020/0295922] in view of Karlsen et al. [US PGPUB # 2019/0052613] and Kanemitsu [US PGPUB # 2009/0310776] as applied to claim[s] 1 above, and further in view of Cross et al. [US PGPUB # 2004/0143736]
As per claim 6. Weinzettl and Karlsen and Kanemitsu do teach what is taught in the rejection of claim #1 above. 
Weinzettl and Karlsen and Kanemitsu do not teach clearly the method of claim 1, wherein the public key of the provider is embedded within a computer program generating the API request such that the encryption of the input data occurs without user input.
However, Cross does teach the method of claim 1, wherein the public key of the provider is embedded within a computer program generating the API request such that the encryption of the input data occurs without user input [paragraph: 0078, lines 4 – 16, Generally, applications that are not DRM-aware or that Application Programming Interfaces (APIs) to save the file, append to the file, modify a block of the file content, and so forth. The file system performs a callout to an abstraction layer (e.g., an EFS module, part, driver, etc. in FIGS. 6 and 7) to examine the content and determine if it contains one or more tags that indicate that it is or should be protected by the DRM functionality. If the content is tagged with DRM attributes for DRM content controls, the abstraction layer acts on behalf of the application to call the DRM client APIs to obtain a license, encrypt the content, and so forth.].
 It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Weinzettl as modified and Cross in order for the monitoring of sensitive data and protection/encryption of sensitive data in the API call/requests between a clients and an application server of Weinzettl as modified to include digital rights management structure of Cross. This would allow for the application server to enforce control/restrictions on service data requested by the client API call/request. See paragraph: 0003 of Cross. 
As per non – transitory media claim 13 that includes the same or similar claim language as method claim 6, and is similarly rejected. 

As per system claim 20 that includes the same or similar claim language as method claim 6, and is similarly rejected.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DANT SHAIFER - HARRIMAN whose telephone number is (571)272-7910. The examiner can normally be reached M - F: 9am to 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571- 272- 3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

/DANT B SHAIFER HARRIMAN/Primary Examiner, Art Unit 2434