APIs need authentication:
API Keys: Simple string in header. Good for server-to-server. Easy to rotate. No user context.
OAuth : Token-based. Access tokens expire. Refresh tokens get new access tokens. Supports scopes.
JWT: JSON Web Tokens. Self-contained claims. Verifiable without database lookup. Can become large.
Common pattern: OAuth for user authentication, API keys for service accounts. JWTs as the access token format. Always use HTTPS.