There are three standard ways to manage API authentication these days: API keys, OAuth tokens and JSON Web tokens (JWT). Adam Duvander over at the Zapier engineering blog explains how and when to use them. The humble API key is the common and earliest form of API authentication.
Pokémon Go has become a runaway hit and many developers are showing their enthusiasm for the game by reverse engineering the private, internal Pokémon Go API and creating unofficial third-party apps. The current situation of the Pokémon Go API exemplifies mobile API security concerns.