Most API requests must have an api_token parameter that is generated for the user from the admin interface ("Account" -> "My profile"). This token ensures that all requests are made by authorized users.
The api_token can be provided within the url, if necessary (to test some requests in the browser, for example) by adding ?api_token=8712f9767e6a03ab6c8a80d53fc3ef6e to the end of the request URL.
Another alternative is using the X-API-TOKEN header:
Both methods work interchangeably.
Some resources allows limited anonymous access (e.g. Article index etc) where API token is not required. If the endpoint allows anonymous access then it's specially marked in API documentation.