Use application-level authorisation if you’d like to control which applications can access your API, but not which specific end users. This might be suitable if you wish to use rate limiting, auditing, or billing functionality. Application-level authorisation may not be ideal for APIs holding personal or data that are sensitive you actually trust your consumers, for instance. another government department.
We advice using OAuth 2.0, the open authorisation framework (specifically using the Client Credentials grant type). This service gives each registered application an OAuth2 Bearer Token, which is often used to help make API requests from the application’s behalf that is own.
To supply authorisation that is user-level
Use user-level authorisation if you’d like to control which end users can access your API. Continue reading “If for example the organisation is managing the API, you will need to manage the authorisation server.”