HTTP apps can request that Mattermost includes a secret-based JWT in each request. See the HTTP Deployment documentation for details.
AWS apps are invoked via the AWS Lambda Invoke and S3 Get APIs, which are authenticated with “invoke” AWS credentials (access/secret keys). See the AWS Deployment documentation for details.
OpenFaaS and Kubeless calls and static authentication are still TBD.