API Overview

Authentication

Web auth — JWT in access_token cookie + CSRF double-submit. Used by the in-browser app.
API key — Authorization: Bearer zpk_…. Used by RMM-driven scripts (scan/reconcile/capture/configure/install/uninstall).

TODO: document per-endpoint rate limits once finalised.