And what prevents all the services implement the same REST API for data exchange + standard API-authorization, using the same Auth2-tokens for a registered API key?
Simple: hash = someFunc(secret + message) is added to the request/response. Thus the secret key must be present on the server and on the client.
With great success you can put SSL to generate a certificate bundle is allowed to give out favourites, and only use these certificates for signing code, the rest of the traffic is simply discarded.