Use application-level authorisation if you want to control which applications can access your API, but not which end that is specific. This really is suitable if you’d like to use rate limiting, auditing, or billing functionality. Application-level authorisation may not be suited to APIs holding personal or data that are sensitive you truly trust your consumers, as an example. another government department.
We recommend using OAuth 2.0, the open authorisation framework (specifically aided by the Client Credentials grant type). This service gives each registered application an OAuth2 Bearer Token, which are often used to create API requests from the application’s own behalf.
To offer user-level authorisation
Use user-level authorisation if you wish to control which end users can access your API. This can be suited to coping with personal or data that are sensitive.
As an example, OAuth 2.0 is a authorisation that is popular in government, specifically aided by the Authorisation Code grant type. Use OAuth 2.0 Scopes for more access control that is granular.
OpenID Connect (OIDC), which builds along with OAuth2, having its utilization of JSON Web Token (JWT), might be suitable in some cases, for example a system that is federated.
For privacy and whitelisting
Use whitelisting if you would like your API to be permanently or temporarily private, as an example to run a beta that is private. You can easily whitelist per application or per user.
You should not whitelist the IP addresses of the APIs you consume. The reason being APIs could be provided using Content Delivery
Networks (CDNs) and load that is scalable, which depend on flexible, rapid allocation of IP addresses and sharing. Rather than whitelisting, you need to use an HTTPS egress proxy.
choose a suitable refresh frequency and expiry period for the user access tokens – failure to refresh access tokens regularly can result in vulnerabilities