You authenticate to our API by providing your Personal Access Token or a Workspace Access Token in the request. Your tokens carry many privileges, so be sure to keep them secret and secure!
All API requests must be made over HTTPS. Calls made over plain HTTP will fail. You must authenticate for all requests.
As you noticed no password nor authentication process is required to access the APIs which is why you need to be extra careful with you access key rights and how (and to whom) you disclose them.