How complex/complicated do you want/need to be? Your question is rather generic to be answered easily.
Here is what i do. I only need simple security as in my case its public data that is returned. But I want to stop just anybody using this API.
I create a client_secret that I send to everybody that will be using the API. They need to send this client_secret with each request.
The API checks if that client_secret exist in my user table before returning any data. This way I can add or remove clients_secrets easily and make sure only people that I want to can access the data.
If you tell us a bit more about your setup and what you try to archive and avoid we might be able to help you a little better.
On the package it said needs Windows 7 or better. So I installed Linux.