I have something similar implemented in my public-facing API, where some of the methods are only allowed to be called by Administrators.
Administrative method signatures include string parameter that accepts Unique Identifier strings that I have previously assigned to administrator users.
Then on every method call I check, if provided API Key belongs to an administrator and throw unauthorized exception, if it doesn't, or respond to the call with data if it does.
Example method:
public decimal GetCompanyBalance(string APIKey, int CompanyId)
{
if(!UserManager.GetByAPIKey(APIKey).IsAdmin){
throw new UnauthorizedException();
}
return Company.GetBalance(CompanyId);
}