OAuth and Mutli Access Token

I need some understanding about access token in a particular context.

I have an app which has users. The user are using credentials (email,password) to connect through an ui and a auth api. This app uses differents user endpoints api such as a billing api.

Until then, the ui was sending the user credentials to the auth api, and received a access token (with a signed cookie).

I now need to extend the scope of this app to third part clients. The clients must be able to create and connect only their users. So this is not a case like instagram using facebook auth to connect users with a facebook id. I do not need users approvals or authorization codes.

The clients can also access to specific application endpoints (with and without an authentificated user)

Should I implement an OAuth (1.0 or 2.0) for the clients ; check for a bearer/access token in the authorization header to make verify the identify of the client, and check for an access token in the cookies to verify if the user is connected ?

Is it possible to have 2 different access token (1 for the client & 1 for the user) in one http request ? Does it seems normal to do that ?

What solution would you implement ?