API Platform has a good JWT implementation guide which helps you implement JWT token authentication with username and password, be sure to check out the configuration page as well.

But if you also want to implement the OAuth2 workflow while also using your own authorization server, you could go ahead and use the FOSOAuthServerBundle for that.

For testing endpoint functionality, I am using Insomnia as an alternative to Postman, for example.

The crux (“simply”) lies within securing the API endpoint of your choice with fos_oauth: true and secure your controller functions further using the symfony built-in security or easier using SensioFrameworkExtraBundle’s @IsGranted('ROLE_[...]') directive.