This thought is the fundamental problem. You should assume from day one that an API specification, even if it is internal, is available publicly. To assume otherwise is just to rely on security through obfuscation. Security through obscurity has never been a good idea, or even remotely secure.