Bearer token — simplest

client.addInterceptor(req -> req.header("Authorization", "Bearer " + tokenSupplier.get()));
Advertisement

OAuth 2.0 client credentials

Machine-to-machine. Token fetched from IdP, cached, refreshed on 401.

Advertisement

mTLS — highest assurance

Both sides present certs. No token to leak. Requires PKI infra — significant setup cost.