Having a REST api where customers will logon and use our API, how would be a propper way to secure it? Today we let an server connect using pregiven username:password, sending it by a Header packed using base64. Then in return, we send back a token that connecting service puts into a Header when posting request.

All calls are using HTTPS to an IIS server that redirect the call to our PAOE server using AJP13 port. 

First of all, if anyone knows the username:password, they will get in. We have for some customer, a IP check, so that helps, but what would be a good way of protecting a server to server communication? 

I have not read me up on C-P, where to do that? What info should be read before going further?