This work addresses the vulnerability of API response data to misuse and the lack of effective provenance mechanisms, noting that existing watermarking techniques often require modifications to business logic or data content, thereby disrupting normal system operations. To overcome these limitations, the authors propose a zero-intrusion watermarking method that leverages a proxy gateway to intercept API responses and exploits the inherent ordering redundancy in JSON/XML key-value pairs. By reordering these pairs according to a position-based encoding scheme—without altering their semantics or values—the method embeds watermarks transparently. Crucially, it requires no changes to the underlying business code. Experimental results demonstrate that the approach preserves full service functionality while achieving 100% robustness against tampering and insertion attacks, and remains effective against partial deletion attacks.

Data leakage from API responses has drawn wide attention. APIs are often not fully regulated, making them easy to abuse. One common solution is to embed watermarks into API responses for traceability. However, existing watermarking methods often require modifying database content or API response data. This forces changes to business system code, and may even disrupt normal business operations because data values are altered. In this paper, we propose an original pluggable watermarking scheme based on a watermark proxy gateway and PEMark (Position Encoding-based Watermarking). The key novelty of our approach is exploiting the inherent permutation redundancy in the ordering of JSON/XML key-value pairs -- an overlooked dimension that carries no semantic information yet provides abundant encoding capacity. First, we forward server responses to the watermark proxy gateway, a design that requires zero modification to existing business systems. Then, we embed a watermark into each API response using position encoding, which reorders keys without altering any data values. To the best of our knowledge, this is the first work to achieve distortion-free API response watermarking via position encoding over a proxy gateway. Our method does not modify any data values, so normal business operations continue seamlessly after watermark embedding. Experimental results show that our framework maintains business usability while ensuring that returned API data is traceable. Compared with current mainstream schemes, our method is robust against tampering and insertion attacks (100\% similarity), and can withstand certain levels of deletion attacks.