An Oauth2 token via http header works very well. Of course, you'll want to send only encrypted requests.