[ttharma]

Agreed, and theScore client apps actually use OAuth. We use HTTP Token Authentication for internal services with a limited number of consumers (other internal services). For this purpose, static and shared credentials are fine.

[lsh123]

If this is an internal services call, then I am not sure what is the value of having HTTP authentication. Personally, I would setup X509 certificates on both client and server; and then just use those for the authentication. Plus IP restriction if you are hosting in the cloud.