After all, you can not remotely send POST data to the server

In fact, the task is deep and very subjective - like do it the way you want, the security issue will certainly always hurt.
Here are my sketches:
https://vk.com/away.php?to=https%3A%2F%2Fdocs.goog...
In Google, let's say it's done very thickly - there is an access service for every large application. Users of several types are created there - these are either those who use the program as a client, or admins, or servers (service accounts).
The first two are humans, the third are usually computers. Since, unlike computers, people tend to fuck everything up and forget - they need to constantly receive an enabling token for a day, like he is he. A secret key is stored in a file for the computer and it is sent to your system with every request, without requiring a token.
On the basis of these ideas, they just did not do anything. Vkontakte, for example, you need to get a token for each request from the server or check if it has expired. Why does the server need a token - who the hell knows. Well, maybe then, that a hard drive can be stolen from a computer, but then again - what prevents you from getting a token with a stolen file - nothing. Useless.
Who has little money - they put the password in the get parameter and just check it.
Medium budgets - they register accounts and issue logins and passwords, but this is not suitable for public services, because. there are idiots who go online from a neighbor's computer and cheat other people's passwords - for them they came up with tokens and permission via SMS at the slightest hint of a change of location.
At the moment, the clearest and most secure system is considered to be a whitelist of ip addresses along with ssh keys and forwarded ports from ssh. The keys ensure the uniqueness of the person, ip - additionally indicate that most likely it is someone specific trying to stir up some kind of game, and ports are transferred to reduce the number of attacks by stupid bots by 22. access to the console of the computer, but not allowed to the php script, so you can only peek at the principle.
But let's say there is wild inconsistency with these keys among the creators of operating systems, because they kind of terribly undermine the "anonymity of the Internet." Therefore, it is almost impossible to explain to a simple client on the site what a key pair is - it eats up any brain when you start to get confused between private public, server private and server public and which one is needed for what.
In fact, everything is simple there - the first (private) belongs to you and is created on your computer. With it, you can create a second (i.e. public) that you can send to anyone. This anyone adds him to his "white list" and the second - adds him to a folder to some user - to associate the login with you - i.e. you can be Griha, and on his computer you are gzhegow, and now he puts your key in the gzhegow folder, and then he also enters into the program that such and such a key can be entered. After that, whoever has a private one can go where his public one is in the white list. In general, that's all. This is how the connection is made, for example, server-server - they created two private ones, based on them two public ones, exchanged public ones - everything works - you can remotely give a command from one server to another and they don’t need the “allow connection” button