A token based authentication can have expiry and other information about the client but in HMAC we can't set expiry of generated HMAC and same HMAC can be used for same request payload, but in case of token request get rejected if token itself expired.
Another different is HMAC is moreover data authenticity and token is for client authenticity, In case of token based authentication if request payload is get modified then you can't validate the data authenticity but in case of HMAC any modification in request payload will lead HMAC signature mismatch.
Based on the requirement, combination of both token and HMAC are the better approach to go, and it's depends on the use case what we need to protect or validate in order to process a client request.
What are some of the relative benefits / limitations of each approach and what use cases do they cover?
A token based authentication can have expiry and other information about the client but in HMAC we can't set expiry of generated HMAC and same HMAC can be used for same request payload, but in case of token request get rejected if token itself expired.
Another different is HMAC is moreover data authenticity and token is for client authenticity, In case of token based authentication if request payload is get modified then you can't validate the data authenticity but in case of HMAC any modification in request payload will lead HMAC signature mismatch.
Based on the requirement, combination of both token and HMAC are the better approach to go, and it's depends on the use case what we need to protect or validate in order to process a client request.
HMAC contains nonce and timestamp which makes it impossible to replay the request.
Along with API authentication, it also need to mention request throttling for security purposes (avoiding ddos attacks)