The only approach that I consider safe is getting a token through some login system and with that token you get access to other APIs.

However, it's not always possible to add a login system to your app. In that case I'd suggest options 1 and 2 with the downside that the security level is not that high.