The security schemes used by the various endpoints depend on the use case. Below is a summary.
Security Token Endpoint
The endpoint for create, deleting or updating tokens is protected to authenticated administrators only.
See Access Token Operations for usage
Agent State Endpoint
The endpoint for viewing, enabling or disabling agent state requires an Access Token and site cookie. (no authentication is required)
See Agent State Operations for usage.