I created a simple OData v.4 API with Node.js CAP. Let's call it simpleapi-srv.

If I open the application route for this api in the browser I get the following error message: 401 - Unauthorized.

I therefore created another application simpleapi based on the standalone app router. If I open the application route of this app I can login with my BTP user (and sucessfully work with the API). I understand by calling the app with the standalone app router the app router handles (with the help of the xsuaa) service the SAML / OAuth flow and ensures (via re-direction) the login process.

My question:
How can I provide an API-URL to an external partner and how do I grant him corresponding authorization? So e.g. he can use the API endpoint via postman or within his custom application development (outside BTP).

Does it make sense to create a service key for simpleapi and use the OAuth credentials from the key? How do I manage authorization (scopes and roles). I assume the CDS role defintion do not have any effect for the user in the service key....?