This document outlines 9 options for securing server-to-server API calls between an app and its partner: 1) mutual server whitelisting, 2) HTTPS with TLS 1.2 and AES 256 encryption, 3) client-side certificates for mutual authentication, 4) basic authorization in HTTP headers, 5) custom headers with client ID/secret for app registration, 6) custom or standard JSON Web Token headers, 7) OAuth 2 using client credentials, 8) payload encryption with shared AES 256 keys, and 9) payload encryption with RSA and dynamic AES keys.