How should I secure this public API?

Question

I have built a REST API that will be integrated into existing consumer booking systems/applications and enable their clients (end users) to book additional goods/services that my company provides.

For example, end user books accommodation and, if the booking system they used has fully integrated our API, that user can also rent a car for his trip.

So the three parties involved in this B2B2C business (in a mini-flow chart) are:

API (My company) <--> Client (Booking Provider) <--> (Client's Client) End user

On behalf of the end user, our client (the booking provider) can call the following of our endpoints:

1. Check product availability
2. Place order
3. Cancel order

We want booking providers to 'install' our API services in their system, thus providing our services to their end users, and then not really have to worry about it (i.e. not have to login all the time to reauthenticate). My question is, how would you protect these endpoints?

1. Api Key - so the booking provider hardcodes the key in their requests?

2. JWT - the booking provider has to hardcode their login details to automatically retrieve an access token everytime there is a session?

3. Oauth - same issue as JWT?

None of these seem optimal. If you have any advice I would be very grateful.

Answer 1

In my opinion there is not much difference between Api Key and JWT/OAuth in the scenario you described.

Personally I would choose an Api Key, or if you really need to maintain a higher level of security you could think about a certificate based mutual authentication.