Bearer token — simplest
client.addInterceptor(req -> req.header("Authorization", "Bearer " + tokenSupplier.get()));Advertisement
OAuth 2.0 client credentials
Machine-to-machine. Token fetched from IdP, cached, refreshed on 401.
Advertisement
mTLS — highest assurance
Both sides present certs. No token to leak. Requires PKI infra — significant setup cost.