when servers talk to each other, how do you deal with the security stuff for APIs? like, how do you make sure it's legit

Hey everyone, I'm trying to figure out the best way to handle secure communication between a bunch of internal microservices. We don't want to just rely on internal network security. What have you guys found works well for server-to-server authentication? Are you guys using API keys, JWTs, mutual TLS, or maybe something totally different? I'm curious about the trade-offs you've seen, like how complicated things get, security implications, and how it affects performance.