If you are sending or receiving any kind of sensitive information, I would consider HTTPS an absolute minimum requirement. You don't need a "real" certificate, anything self signed will do (as long as you can get all the systems involved to trust it) but without HTTPS, your communication is clear text and anyone else on the network can listen in.
The actual level of credentials/authorization is basically up to you. Webdev currently only supports basic auth, which is generally not regarded as sufficient. You can do something as simple as generate a truly random sequence, encode it, and send it from the client as a header you verify in your endpoint. That's probably where I'd start.