Published REST API and Custom authentication method

Hello team,  I have successfully created REST API service which is consumed by application out of Mendix environment, but I have a problem to integrate proper authentication mechanism. Since the documentation is poor for this topic at least, I understand “Username and password” as method within scope of Mendix app when the credentials are validated for currently logged user. The application uses SSO method for authentication so this approach cannot be applied, right? The same stands for “Active session” authentication method so these two methods are irrelevant form my point of view. So only the last method left, “Custom” authentication. The preferred way in this case would be to use API Key, but I have no clue how to return the right user object what is a mandatory output from microflow which is always performed when the service is called out.  Is there any example or how did you solve authentication of REST service consumed from external application? Thanks in advance.      
1 answers

One approach is to not use the built in security, but do you own validation in the microflows that are being called. 

For example, have a sub microflow that handles authentication and have that return a boolean. This could look at headers and see if there is an API key present, and if it is, it could compare that to keys you may have added to your domain model. You can then use this action in your REST service’s microflows, so if it’s not authenticated you can drop out early on with a 403 Forbidden response.