Small caveat to contradict the answers so far given, because the correct statement is not every BAPI contains an authorization check, though almost all of them should...

My simple counter examples are BAPI_MATERIAL_EXISTENCECHECK and BAPI_MATERIALGROUP_GET_LIST. Now of course they are rather trivial BAPIs, but it clearly shows that not all BAPI's have a builtin authorization check. Note that I'm talking here about authorization checks in ABAP coding via [authority-check|http://help.sap.com/abapdocu_70/en/ABAPAUTHORITY-CHECK.htm]. The story is a bit different if you'd call those BAPI's via [RFC|http://help.sap.com/abapdocu_70/en/ABENRFC_INTRO_OVIEW.htm], because SAP has builtin authorization checks on function group and since fairly recently also on function module name (see authorization object [S_RFC|http://help.sap.com/saphelp_nw70/helpdata/en/60/305140c770cd01e10000000a155106/frameset.htm]).

If you look at any BAPI returning/creating/updating a more complex object you should expect that SAP does some application authorization check. This is especially true for BAPI's that are supposed to mimic any transaction like VA01, etc. However, if you require such a check in a specific situation I'd say it usually doesn't hurt to take a quick peek at the used BAPI to confirm it (and if the BAPI is complex just execute it with an <em>authorization trace</em>).

I apologize for nitpicking, but I couldn't resist since the statements where a bit too broad in my opinion...

Cheers, harald