• No delegation capability
• Direct application-to-service authentication
• Cannot represent user consent or third-party access

• Application-level identification only
• Coarse-grained, all-or-nothing access
• No native scope or permission framework
• Custom server-side implementation required

• Perfect for public APIs
• Simple developer onboarding
• No complex PKI or certificate distribution
• Widely understood by external developers
• Easy integration for third parties

• Simple to scale technically
• Management overhead increases with key count
• Monitoring and rotation complexity grows
• Database lookup performance considerations

2.8

• Core purpose: Delegated authorization
• User grants third-party app limited access
• Authorization Code flow for user delegation
• Client Credentials for service delegation

• Scope-based permissions
• Fine-grained access control
• Resource owner can limit permissions
• Standardized permission model across APIs

• Industry standard for public APIs
• Handles untrusted public clients
• No certificate distribution to third parties
• Mature ecosystem and tooling
• Developer-friendly documentation

• Stateless token-based architecture
• Horizontal scaling friendly
• Short-lived tokens reduce management overhead
• Industry-standard tooling and libraries

7.3

• Built on OAuth 2.0 delegation model
• Adds user identity to delegation
• Perfect for "Login with X" scenarios
• Combines authentication + authorization delegation

• Inherits OAuth 2.0 scopes
• Adds identity claims for ABAC
• Standardized user attribute access
• Fine-grained user data permissions

• Perfect for public user-facing apps
• Federated identity across domains
• No certificate management for clients
• Standard protocol with broad support
• Enables "Sign in with X" patterns

• Inherits OAuth 2.0 scalability
• JWT tokens are stateless and cacheable
• Federated identity reduces auth server load
• Standard protocol with mature tooling

7.7

• Direct machine-to-machine authentication
• No delegation concept
• Certificate represents machine identity only
• Cannot express user consent or third-party access

• Strong identity verification only
• No native authorization framework
• Requires separate permission system
• Certificate identifies "who" not "what they can do"

• Not suitable for public APIs
• Requires PKI certificate distribution
• Complex client onboarding process
• Certificate management burden on external developers
• Debugging handshake issues difficult

• PKI management complexity
• Certificate lifecycle overhead
• Revocation list management
• Complex to scale certificate distribution

8.8

• Direct service-to-service authentication
• No delegation mechanism
• Shared secret represents direct trust relationship
• Cannot represent third-party access

• Authentication only, no authorization
• Verifies message sender identity
• No inherent permission information
• Requires separate authorization implementation

• Challenging for public APIs
• Requires secure out-of-band secret sharing
• Complex onboarding for external developers
• Good for webhooks and trusted partners
• Signature implementation precision required

• Stateless verification
• Simple to implement and scale
• Low computational overhead
• Secret management complexity moderate

6.2