How would you design a secure authentication and authorization mechanism for an API exposed to both mobile clients and third-party partners?