I'm currently building a REST API. Many of the resources I'm creating will always be identical regardless of who's accessing the resource. The few that aren't will have a
Vary: Authorization is unnecessary; responses to requests with Authorization are automatically private, and won't be cached by shared caches.
You can send
Cache-Control: public to override this; responses with that can be cached using the normal rules.
However, if you want those responses to remain authenticated, you need to impose authentication. You can do that by also sending
Cache-Control: no-cache, which will force the cache to check with the origin before serving a stored response.
If you just want to have your reverse proxy (e.g., Varnish, nginx) do the caching, it's likely that it has a way of being configured to impose authentication on the "edge", serving the responses from cache when the request has the proper authentication. Check its documentation for details.