Add section about authentication?

[mwullink]

maybe describe requirements for auth schemes?
best fit would be something like JSON Web Token (JTW) https://datatracker.ietf.org/doc/html/rfc7519

where server can validate token after client gets token van auth server.
how much of this process do we need to describe?

[pawel-kow]

IMHO likely it's worth mentioning, but isn't that actually out of scope here?
Or in other words, I would only first transition as-is state of EPP, with user/password with simple auth.
Important factor here would be that the authentication should move to http layer rather than payload. This has loads of benefits on it's own - for example one can peek the payload on the server without any risk of exposing credential data. Also the authentication/authorization may be off-loaded to an API gateway, which is also a way to adress performance challenges and separate the concerns of the underlaying systems.
Other methods, like bearer token based authentication and authorization, with specific flows like OAuth I would leave to separate specifications. We may mention it as extension point however.