Use application-level authorisation if you want to control which applications can access your API, but not which end that is specific. This will be suitable if you’d like to use rate limiting, auditing, or billing functionality. Application-level authorisation may not be suitable for APIs holding personal or data that are sensitive you probably trust your consumers, for instance. another government department.
We recommend using OAuth 2.0, the open authorisation framework (specifically with all the Client Credentials grant type). This service gives each registered application an OAuth2 Bearer Token, that can easily be used to produce API requests on the application’s own behalf.
To produce authorisation that is user-level
Use user-level authorisation should you want to control which end users can access your API. (Pokračování textu…)