Most of the methods of the REST API require user authenticaiton to access or create data.
There are currently two techniques to authenticate with the REST API.
Basic Authentication sends user credentials in the header of the HTTP request. It requires https connection.
Every API call that requires authentication has to contain the credentials in the HTTP header. Basically the credential has to be sent every time when the API is called, except when the Authentication is not required. For instance when creating a new User.
In some cases it’s not possible to send the credentials in every request. For these cases there is a Token authentication. Before a program starts using the API, it authenticates with basic Authentication, and requests a Token from the server. From that point, there is no need for Basic authentication on every request if the token is presented in the HTTP header. This way the Token is sent over the network in every request, similar to the basic authentication, but no user name, or password is transmitted. Token has an Expiry time. If it’s not used for 5 hours, it expires.
See more details on Token Authentication topic.