So basically the way authentication works is that you need to use OAuth2 with Bearer tokens. The tokens have a TTL (time to live) of 3600 seconds, which is like one hour. And then there's also refresh tokens that last for about 30 days or so. Oh and I should mention the rate limiting - we have a rate limit of 500 requests per minute per API key globally across all endpoints. If a client goes over the rate limit, you should return a 429 status code and make sure to include the Retry-After header so they know when to try again. One important thing to note is that admin tokens are special - they can access resources across all organizations in the system. Regular user tokens on the other hand can only access data within their own organization, which makes sense from a security perspective. Also every single API request needs to have the Authorization header with a valid bearer token or it should be rejected. Tokens are issued through the /auth/token endpoint - you can use either client credentials flow or authorization code flow depending on your use case. Oh and refresh tokens - they can only be used once. After you use a refresh token it gets invalidated and you get a new one back along with the new access token.