Take a look at the Microprofile JWT specifications. It provides a standard set of jwt claims: https://www.eclipse.org/community/eclipse_newsletter/2017/se...

A central server which maintain all authorization information. The client can request token to access a particular service. The service verifies the token by calling the central server and gets in response the permissions available for that token. Also, a TTLed cache on the servers.

System user permissions with public/private keys for lower level APIs (SSH tunnels, basically).

Centralized token services for ReST APIs

I used to work for a company that has a solution for this exact problem: http://www.tribestream.io Great product and the people couldn't be a more diverse and all around good group of people.

Client certs for service to service communication.

Auth tokens validated by a central entity (a bunch of servers really) for user (mobile apps, etc) to service communication.

JWTs are a good approach. I've also seen folks using mTLS with gRPC.

JWT tokens are a decent approach

Vaulted API keys with lifecycle management.

Docker secrets.

API keys typically

keycloak