API Security requirement?

There is no easy answer so you will need to do some not small reading about this as depending on your environment there will be different needs.

What I will say that there is also the issue of "Shadow API" and API endpoints for example that you may not ask for Authorization Header after the initial authentication or even with authentication there is a need for Authorization as not all authenticated users must have the same access.

I suggest to consider F5 XC distributed cloud as it does more for the API security than just importing swagger file as it has WAF, detects Shadow API and gives you suggestions on other detected issues and some things (Acccess token in HTTP request seen in clear text etc.) even the F5 WAF can't do that XC can. If you need an Oauth server then you can use F5 APM after the F5 XC as Oauth Server or F5 APM can be Resource server/Oauth Client and to integrate for example with Azure AD that will be your Oauth server. You need to do some reading on that as well.

Usefull links and you can ask the F5 sales/solutions engineers for some demos:

F5 XC API security:

https://www.f5.com/solutions/api-security

https://community.f5.com/t5/technical-articles/f5-distributed-cloud-waap-introducing-the-distributed-cloud-api/ta-p/292993

https://community.f5.com/t5/technical-articles/api-security-strategy-discover-and-map-apis-block-unwanted/tac-p/307061#M13754

F5 Oauth with APM:

https://support.f5.com/csp/article/K42333110

https://support.f5.com/csp/article/K53313351

https://support.f5.com/csp/article/K12744365?utm_source=f5support&utm_medium=RSS

https://support.f5.com/csp/article/K24144540?utm_source=f5support&utm_medium=RSS

https://support.f5.com/csp/article/K00571304

I concur. That question is far too large to answer. I'd say that, for api security, you need L2-7 DoS defense (how much, at what layer, varies, based on the application), multi-layer WAAP and complete endpoint mapping, as a start.