Domec API uses JSON Web Tokens (JWTs) to authenticating requests. These tokens are signed using HMAC-SHA256 with your Global Client Secret, which can be obtained using the Token Generator on this same page.
The scopes claim of this token indicates which actions can be performed with it when calling Domec API.
For example, this token would grant read-only access to users and read/write access to rules. Trying to perform any other action will result in a 403 Forbidden response.