A system and method are provided for authenticating client devices communicating with an enterprise system. The method includes providing a policy enforcement interceptor to intercept API calls and enabling the policy enforcement interceptor to communicate with a policy information point to query the at least one endpoint for entitlements associated with an account. The method also includes intercepting an API call to the application API, communicating with the policy information point to determine entitlements associated with the account by having the policy information point query an entitlements database and, when the entitlements returned to the policy enforcement interceptor are valid, invoking a policy decision point to validate the client device. The method also includes, when the client device is validated, permitting invocation of the API. The method also includes providing an API response to the client device to permit access to the application via the API.