Steps to reproduce: send a cacheable Action API request (e.g. https://en.wikipedia.org/w/api.php?action=query&meta=siteinfo&uselang=content&smaxage=10) from a browser window where you are logged in as a user.
Expected result: x-cache-status header is hit or miss
Actual result: x-cache-status header is pass
$ curl -is 'https://en.wikipedia.org/w/api.php?action=query&meta=siteinfo&uselang=content&smaxage=10' -H 'Cookie: enwikiSession=<redacted>; enwikiUserID=20093189; enwikiUserName=Tgr+%28WMF%29; forceHTTPS=true; centralauth_User=Tgr+%28WMF%29; centralauth_Token=<redacted>; centralauth_Session=<redacted>;' | grep Cache Cache-control: s-maxage=10, max-age=0, public X-Cache: cp1067 pass, cp4018 pass, cp4009 pass X-Cache-Status: pass
This is caused by the API always emitting a Vary: Cookies header, which makes Varnish never cache any request with (certain) cookies in it. Which essentially disables Varnish caching for all API requests if the user is logged in, even if the given API endpoint returns public information and does not care who the user is.