When your organisation is managing the API, you will have to manage the authorisation server.

Use application-level authorisation should you want to control which applications can access your API, but not which specific end users. This is certainly suitable if you want to use rate limiting, auditing, or billing functionality. Application-level authorisation is typically not suitable for APIs holding personal or data that are sensitive you truly trust your consumers, for instance. another government department. We recommend using OAuth 2.0, the open authorisation framework (specifically because of the Client Credentials grant type). This service gives each registered application an OAuth2 Bearer Token, that could be used in order to make API requests from the application’s own behalf. To give you user-level authorisation Use user-level authorisation… read more →