Private API in REST

Validation throw username and password is a good idea, or maybe restrict by a source-request-ip that should be in the yaml config file?