Use application-level authorisation should you want to control which applications can access your API, but not which end that is specific. It is suitable should you want to use rate limiting, auditing, or billing functionality. Application-level authorisation is typically not suited to APIs holding personal or data that are sensitive you really trust your consumers, as an example. another government department.
We advice using OAuth 2.0, the open authorisation framework (specifically with the Client Credentials grant type). This service gives each registered application an OAuth2 Bearer Token, which are often used to help make API requests in the application’s behalf that is own.
To provide authorisation that is user-level
Use user-level authorisation if you’d like to control which end users can access your API.