It depends on your needs. Do you need:

  • Identity – who claims to be making an API request?
  • Authentication – are they really who they say they are?
  • Authorization – are they allowed to do what they are trying to do?

or all three?

If you just need to identify the caller to keep track of volume or number of API Calls, use a simple API Key. Bear in mind that if the user you have issued the API key shares it with someone else, they will be able to call your API as well.

But, if you need Authorization as well, that is you need to provide access only to certain resources based on the caller of the API, then use oAuth.

Here's a good description: