link: Web Security OWASP API Security References: Check for a lot of details and recommendations: Authentication - OWASP Cheat Sheet Series