Secure REST endpoint in custom Confluence plugin

Hi all,

I’ve been tasked with developing a Confluence plugin to control Comala Document Management page workflows from outside. To be a bit more specific, we are developing an integration solution for Moodle. Course participation is prepared in a Confluence page, and course progress in Moodle is supposed to set workflow states in the page workflow accordingly.
A REST endpoint sounds like it could be a good solution to expose the functionality needed to Moodle, or better, the Moodle Tool Trigger plugin which can compose parameterized URLs to call remote targets.
The problem is that this does not seem secure at all. Exposing a REST endpoint to the internet to be connected from a different internet resource just cries for something like OAUTH. But I cannot find any clue on how to do that with what the Atlassian SDK and the online documentation materials are presenting.
Maybe REST endpoints are automatically covered by the security model of Confluence? If so, how would I establish a connection from a remote server without harassing the users (in Moodle) with 2-factor authentication pop-ups and the like? Is there a concept like application tokens for this purpose? Moodle should be able to send event-driven data to the REST endpoint anytime. If authentication is required, it should happen mostly inline and automatic. The connection should be transparent and secure at the same time. Malicious use of the REST API should not be possible to send faux progress data, or gain entrance to Confluence on any level. How is that done if a Confluence plugin’s REST API is the target?
Would be really grateful for any pointer.

Thank you very much!
Cheers,
Johannes