I have previously written about how easy it to implement Web API controllers in Sitecore. However since Sitecore adds a lot of global filters for authorization and security policies - e.g. see sitecore/api/configuration/filters section in Sitecore.Services.Client.config. You might want to disable these filters, as they can interfere when building a public accessible API - see gist below. During a debugging session I noticed that a filter from some FXM assembly were also added.

To be fair, most of Sitecore’s implementations of IFilter/ActionFilterAttribute that are assigned globally on HttpConfiguration, does check for presence of ServicesControllerAttribute and inheritance of ServicesApiController. This means you might prevent these filters from doing anything by using System.Web.Http.ApiController as base class for your controllers. I haven’t been though the code for all Sitecore’s filters, so I’m playing it safe, and decorate my ApiControllers with a ClearSitecoreWebApiConfigAttribute.

I encourage the developers of Sitecore to consider using controller-specific configuration instead of loading the global HttpConfiguration with all kinds of module or feature specific stuff.