If you've already got a built-in data store and want to extend your API to a third party service, chances are you'll need a way to let those users call into your application in a secure way.
In this episode, Monster James dives into a mechanism to create per-user tokens that can easily be revoked or invalidated, while still providing a straightforward way for callers to self-generate the access artifacts they need to use your API.
Note that in broader scenarios something more akin to IdentityServer might be more suitable, allowing different scopes and sets of claims for users who log in through different contexts (web versus API, for example). You can find out more about IdentityServer on GitHub and in a future episode of the Monsters.