When your organisation is managing the API, you will want to manage the authorisation server.

When your organisation is managing the API, you will want to manage the authorisation server.

Use application-level authorisation if you want to control which applications can access your API, but not which specific end users. This might be suitable if you wish to use rate limiting, auditing, or billing functionality. Application-level authorisation is probably not ideal for APIs holding personal or sensitive data unless you really trust your consumers, for example. another government department.

We recommend using OAuth 2.0, the open authorisation framework (specifically with the Client Credentials grant type). This service gives each registered application an OAuth2 Bearer Token, that can be used to produce API requests from the application’s behalf that is own.

To present user-level authorisation

Use user-level authorisation should you want to control which end users can access your API. 阅读更多