I have an ASP.NET Core Web API that I want to protect when calling from a mobile app. It’s not user-centric, meaning a user does not need to be logged in. The primary concern is disallowing access from clients/apps that are not my own. What’s the best approach here? Machine to Machine? Is there a way to not expire the access token for this scenario? Or maybe there is a better approach?