API key — simplest
Authorization: Bearer sk_live_abc123...Static token. Easy. Rotation is painful. OK for internal services.
Advertisement
OAuth 2.0 client credentials
POST /oauth/token
grant_type=client_credentials&client_id=...&client_secret=...Machine-to-machine. Token has TTL, auto-refreshes. Standard for cross-org.
Advertisement
JWT with in-band claims
Client signs a JWT with its identity + intent claims. Server verifies signature, applies policy per claim. No central IdP call needed per request.