If for example the organisation is managing the API, you will want to manage the authorisation server.
Use application-level authorisation if you’d like to control which applications can access your API, but not which specific end users. This really is suitable if you wish to use rate limiting, auditing, or billing functionality. Application-level authorisation is probably not suitable for APIs holding personal or data that are sensitive you probably trust your consumers, as an example. another government department.
We advice using OAuth 2.0, the open authorisation framework (specifically aided by the Client Credentials grant type). This service gives each registered application an OAuth2 Bearer Token, which is often used to produce API requests from the application’s behalf that is own.
To give you user-level authorisation
Use user-level authorisation if you want to control which end users can access your API. This might be suitable for dealing with personal or data that are sensitive.
For example, OAuth 2.0 is a popular authorisation method in government, specifically because of the Authorisation Code grant type.