You can do this by scripting a CEP panel, but you can also use the Templater plugin from Dataclay to work with API data pretty easily. You point Templater to the API's end-point that responds with JSON object arrays and the values can be mapped to specific layers quite easily.
There is documentation about using URL Feeds with Templater as well. Many users in the Sports-tech world use Templater + AE in their workflow to save time. You can preview the data live within comps.
If the API is behind basic authentication scheme, you can enter the username and password into the "Remote JSON Configuration" dialog. If it requires some kind of OAuth token, then you would need to see what the headers look like from another application that are required to make that request and then get those headers into the "Optional Request Headers". For example, if there was an "Authorization" header that look liked
"Authorization" : "Bearer <long token here>"
In each request that was authorized, you can take that value and paste it onto a new line in the "Optional Request Headers" field. In this case, you would write on one line:
Authorization : Bearer <long token here>
So essentially, you login via your normal app, maybe a browser, and then look at how that browser is making requests, and try to emulate that via the Optional Headers in Templater's Remote JSON configuration dialog. It's not ideal, and is hacky because once the token you grabbed from the authenticated app expires, you would have to change it once more. However, this is the best that can be done given that each API will always have a different method for authentication and authorization.