REST API authentication strategy: OAuth2/JWT versus API keys at scale

[Jerry_W]

I'm designing a new REST API for a B2B service and I'm stuck on choosing the right authentication and authorization strategy that balances security, developer experience, and scalability. We need to support server-to-server integrations, mobile clients, and potential third-party access via API keys, but I'm wary of rolling our own solution. For architects who have implemented robust API security, is OAuth 2.0 with JWTs still the go-to standard for most use cases, or are there simpler, more modern alternatives gaining traction? How do you securely manage and rotate API keys at scale, and what are the best practices for implementing rate limiting and monitoring that ties back to authenticated entities rather than just IP addresses?