Hey! Thanks for reply!
Since I have full control of my app I am flexible on that part. Since we use extensions authentication authorizationServer and already generate and return access_token to jsreport I thought that maybe it can be used for reverse authentication for API calls from studio.
But once again, I can adapt to other strategy if there is one. The main goal is to authenticate user specific API calls from studio to my app without master login/password for all requests.