HTTP apps can request that Mattermost includes a secret-based JWT in each request. See HTTP Deployment for more.
AWS apps are invoked via the AWS Lambda Invoke and S3 Get APIs, which are authenticated with “invoke” AWS credentials (access/secret keys). See AWS Deployment for more.
OpenFaaS and Kubeless calls and static authentication are still TBD.