You can use Auth0 to sign up your develpoers either by username-password based authentication, or social entity provider based login , and on successful login they will receive an access_token generated by Auth0,
You can configure your server to accept and validate those tokens based on the unique identifier you embed in the token i-e. audience claim, explained here.
If the token is valid, grant access to the developer to the API else deny request.
For the type of token you are looking for, you could use the concept of refresh tokens here
Here is the complete explanation doc