Hello, I'm using Okta to protect a RESTful API using OpenID.  This works well for authenticated users.  I need to take the next step of further protecting the API and restrict consuming applications.

I want to acheive a flow where the calling application must be validated as an approved consumer of the API regardless of a successful authentication of the user.  I can then apply thresholds, CORS policy, etc.

I'm asking in this forum because I'm looking for a best-practices implementation within an Okta eco system (though I do not expect this to be an Okta solution).  My first thought is to implement an application API key that is used in ADDITION TO the bearer token--another header.   Since API keys have received a bad reputation, I want to ensure that there hasn't been a more standard way patterned to acheive this use case.   For instance, 3rd party api modules, api documentation generators, etc-- all these have created solutions based upon assumed standards and I want to conform to those rigid or casual standards if possible.

Again, I basically want to approve the calling application in addition to OpenID.  I would likely implement all the logic to do this in my API (versus any Okta work).  Just looking for a link to or guidance on proper pattern.