API key — simplest

Authorization: Bearer sk_live_abc123...

Static token. Easy. Rotation is painful. OK for internal services.

Advertisement

OAuth 2.0 client credentials

POST /oauth/token
grant_type=client_credentials&client_id=...&client_secret=...

Machine-to-machine. Token has TTL, auto-refreshes. Standard for cross-org.

Advertisement

JWT with in-band claims

Client signs a JWT with its identity + intent claims. Server verifies signature, applies policy per claim. No central IdP call needed per request.