What kind of auth is needed for production API, are there additional measures like IP restrictions?

Simple auth is needed for authentication; there are no other restrictions in place.

On a side note, we use ELBSecurityPolicy-FS-1-2-Res-2019-08 security policy.

You can see a list of cipher suites we support here.

Also, credentials are for API usage only and different credentials are needed to access the portal (including 2FA).