That falls under #2 as an API Key. So realistically you don’t want to use the client_credentials grant that for the reasons specified. If you want to stay in the OAuth realm, you at least want to use the urn:ietf:params:oauth:grant-type:jwt-bearer as this is most similar to #5 that is listed here.

[Re: OAuth] — Just to be clear, the OAuth2.0 comparable methods are for interacting with the Authorization Server (AS) only. For interactions between multiple service clients, you would always be using a JWT returned. If you only have one service then, it’s the same as API Keys, and when you have multiple ones then the important security boundary happens at the AS. Spaying api keys or other mechanisms between multiple services is much less secure than using centralized Auth to generate JWTs. But even using that there are varying levels of secure paradigms. For the most secure strategy, still pick #5, which of course requires an AS with the level of security provided by Authress or another provider that offers a similar level of EdDSA security.