This concerns SharePoint 2013/2016 on premises - NOT online, Azure is not in the picture - no SPFx
Can I from a web part call an external REST API and pass the user's identity in the request ?
How can the external REST API verify the user's identity is genuine ?
Both web part and external REST API are under my control. I can contact SharePoint from the REST API for example.