Most API requests must have an api_token parameter that is generated for the user from the admin interface ("Account" -> "My profile"). This token ensures that all requests are made by authorized users.
The api_token should be provided using the X-API-TOKEN header:
Another alternative is using the url query parameter (less secure), if necessary (to test some requests in the browser, for example) by adding ?api_token=8712f9767e6a03ab6c8a80d53fc3ef6e to the end of the request URL.
Both methods work interchangeably.
Some resources allows limited anonymous access (e.g. Article index etc) where API token is not required. If the endpoint allows anonymous access then it's specially marked in API documentation.