Hmm. Well curl with basic authentication is acceptable - remember thought that the syntax is curl --user name:password https://yoursite.com and this means that you will have to hard code credentials in the code that invokes your REST API - typically if it's Ajax - then we're talking client side code and that means exposing credentials in the browser (or in a mobile app) which is a vulnerability.

I think that you can improve with a 2 step approach which is pretty common practice:

When user logs in (app or browser) - get username/password from a form and use curl with basic authentication to ask the server for a TOTP time based one time token. I don't know what language you're using but in Node JS there are libraries like this https://github.com/guyht/notp that are active and maintained projects.

If you are hosting on Azure you can use Azure SAS shared access which is part of the Azure infrastructure and save you code and test.

Well curl with basic authentication is acceptable - remember thought that the syntax is curl --user name:password https://yoursite.com and this means that you will have to hard code credentials in the code that invokes your REST API - typically if it's Ajax - then we're talking client side code and that means exposing credentials in the browser (or in a mobile app) which is a vulnerability.

I think that you can improve with a 2 step approach which is pretty common practice:

When user logs in (app or browser) - get username/password from a form and use curl with basic authentication to ask the server for a TOTP time based one time token. I don't know what language you're using but in Node JS there are libraries like this https://github.com/guyht/notp that are active and maintained projects.

If you are hosting on Azure you can use Azure SAS shared access which is part of the Azure infrastructure and save you code and test.