Not a security guy in any sense, but working with b2b often.<p>Request signing by a shared secret (jws or jws based) is what I see at almost everyone we work with in small business range. But I doubt its purpose really, they do not rotate keys ever, and also if someone intercepted a request in a plain text, they could still do some damage. For persistent links rotated shared secret simply attached to a request, iow basic auth, would be enough.<p>I think some of them would do that, but looking “unprofessional” in eyes of your partners feels bad. They are happy to log into their email and banks with a cookie, but in b2b it’s a bad form. Consider this if politics is a thing.<p>You probably want to analyze your attack surfaces and use a corresponding technology. If it’s just info/events, basic auth is okay. If the access is subject to change/revoke, use time-limited tokens like jwt. If it’s financial ops, sign every request so that an attacker couldn’t forge a request in their favor. Tldr it depends.<p><i>Basic auth would work well for our needs and it's very easy to build and use</i><p>So much yes. For some companies it takes weeks to implement correct auth, because developers cannot write good guides on average and don’t understand each other contrary to common beliefs. They aren’t all FAANG graduates. Integration slows down so much because of that. Make sure that you provide enough documentation, <i>working</i> examples and in-API auth debug modes, if you decide to implement non-basic auth.