I've found a few good articles but they seem to disagree with regard to how many layers of security are required. Looking at other popular APIs doesn't offer much clarity. Twilio uses basic auth + HTTPS, Twitter uses OAUTH, AWS uses HMAC.. WTF?
Specifically if I'm using HTTPS, can I get by with a simple secret key sent with each request? I'm trying to balance ease of use with security. I don't want to require the API user to sign the payload/query using their private key if I can avoid it.
1. Don't have to give their password to third party services
2. Can limit what kind of access the third party has (public vs private repos, for example)
3. Can reject a specific app's access without affecting that of others