Which of the following is a secure way to authenticate API requests?

Using OAuth tokens with limited scopes is a secure way to authenticate API requests because it allows for fine-grained access control and ensures that access is granted only to the necessary resources needed for a specific task. OAuth is designed to provide specific permissions defined by scopes, so users can only perform actions that they are authorized to do. Additionally, OAuth tokens can be short-lived and can be refreshed, minimizing the risk of long-term exposure.

This method also supports better security practices such as token revocation and expiration, which further enhances protection against unauthorized access. By utilizing OAuth, applications can securely handle user authentication without exposing sensitive information like usernames and passwords.

In contrast, storing usernames and passwords in plain text presents a significant security risk, as this information can easily be compromised. Similarly, using static shared keys across all users poses a risk since if one key is compromised, it endangers the security of all accounts using that key. API tokens generated per session might offer some level of security, but without the advanced features of OAuth such as scope limitation and revocation, they do not provide the same level of granularity and control.