The described scenario looks like a classic case for OAuth 2.0 authorisation with self-contained bearer access tokens.
The clients will be authenticated and issued an access token at the OAuth 2.0 authorisation and / or token endpoint. The access token can be represented by a signed JWT which encodes the permission scope and validity time-frame in a JSON object that is signed with the OAuth 2.0 server's RSA key. The X, Y, and Z services only need to check the signature upon receiving the JWT access token in order to clear the request. This will save you the network call to the auth service and an RSA signature check can be done in about 100 microseconds which is a lot less than an HTTP request (in the order of tens or more milliseconds).