Use application-level authorisation if you’d like to control which applications can access your API, but not which end that is specific. This will be suitable if you’d like to use rate limiting, auditing, or billing functionality. Application-level authorisation is probably not suitable for APIs holding personal or data that are sensitive you truly trust your consumers, for example. another government department.
We recommend using OAuth 2.0, the open authorisation framework (specifically because of the Client Credentials grant type). This service gives each registered application an OAuth2 Bearer Token, that can be used to help make API requests from the application’s behalf that is own.
To produce authorisation that is user-level
Use user-level authorisation should you want to control which end users can access your API. Continue reading In the event the organisation is managing the API, you will need certainly to manage the authorisation server.