Authentication

For the /authorize endpoint, you should use either PasswordBearer or ServerOAuth2Bearer. But, if your integration imply brokerage data stream and your data is public, you might not have to implement the authorization endpoint.

You should have two separate sets of credentials for your production server. So, for OAuth2, these are different client id, client secret and private key. Each request to /authorize must return a unique token with a limited lifetime. Several clients must be able to log in with one set of credentials.

If /authorize exists, all requests without a token or with an expired token should return code 401.