You could handle authorisation in a similar way to authorisation of REST services.
JSON Web Tokens (JWT) are a widely used authorisation method. You can find demonstrations and a conceptual overview of JWTs at jwt.io. In brief, JWTs are a signed JSON object, encoded as a string. The JSON object can make any number of arbitrary "claims" about the permissions the client has.
Your service would sign a JWT (using a private key) and pass it to the client during authentication, which I suggest would be done by a JSON-RPC method that checks the permissions of the client (by API key, username and password or whatever). Your protected methods could then require a JWT as one of their parameters: performing their normal functionality if the JWT is verified and has the correct claims, else returning an error.
I suggest having a look at the github.com/dgrijalva/jwt-go package. It provides methods for issuing and verifying JWTs.