REST API authentication patterns for external integrations

I'm building an integration between Heratio and our institutional CMS. The ahgAPIPlugin provides webhook support, but I need to understand the authentication flow better.

Questions:

1. What auth method is recommended for server-to-server communication?
2. Is there rate limiting on the API endpoints?
3. Can we use OAuth2 tokens from the registry login?