Read part 3.5 about Authentication in the documentation and pick the authentication you need for your case:
Currently we use server-to-server communication only. Means any frontend or app that is presented to an end-user/customer is not calling the ORDS REST Service directly but a an application layer in between. The application layer manages oauth client information and oauth tokens and keeps that information hidden from the frontend. Thus we use Third-Party with Two-legged OAuth (Client_Credential flow).
In ORDS we set privileges for specific uri-patterns. Specific roles are allowed to work with specific privileges. Specific roles are granted to each oauth client. Our services are consumed by different applications. Each application has its own oauth client. Since each client has its own set of roles they get access to specific uri-patterns depending on their needs.