A hotel chain wants third-party partners to redeem loyalty points on behalf of members.Which API security model is most appropriate?