Jun 25, 2020 08:03 PM|bruce (sqlwork.com)|LINK
you don't secure the external api (that's their job). you secure your site. your site (even if only web pages) becomes an open api. the code that calls the external api, should verify the user is allowed to make the call, and the data passed is allowed to
sent by the user.
if your site is given admin access to the second site, rather than passing the user, then you need more verification of the requests.