Use application-level authorisation should you want to control which applications can access your API, but not which end that is specific. This is certainly suitable if you wish to use rate limiting, auditing, or billing functionality. Application-level authorisation may not be suited to APIs holding personal or data that are sensitive you actually trust your consumers, as an example. another government department.
We recommend using OAuth 2.0, the open authorisation framework (specifically with all the Client Credentials grant type). This service gives each registered application an OAuth2 Bearer Token, which can be used in order to make API requests in the application’s own behalf.
To offer user-level authorisation
Use user-level authorisation if you’d like to control which end users can access your API. This is suitable for coping with personal or data that are sensitive.
For example, OAuth 2.0 is a popular authorisation method in government, specifically with all the Authorisation Code grant type. Use OAuth 2.0 Scopes for more access control that is granular.
OpenID Connect (OIDC), which builds together with OAuth2, using its use of JSON Web Token (JWT), may be suitable in many cases, for example a system that is federated.
For whitelisting and privacy
Use whitelisting if you would like your API to be permanently or temporarily private, for example to operate a private beta. 继续阅读“In case the organisation is managing the API, you will want to manage the authorisation server.”