Just to make sure? You want to authenticate a user on an API which is not Mendix?
If you expose an API, the easiest authentication method is basic authentication (i.e. username and password). You do this by creating a user (or account) in Mendix with the correct roles. This account is meant for the application which you want to have access to your system, so even though it is not a person, it is still an account. You let the other system send a basic authentication header with the username and password.
The disadvantage of your approach is that you need to create authentication yourself: the API is anonymous, and you verify the header yourself. This is more work, not standard and therefore less secure than using the out of the box available username and password authentication method provided by Mendix.