All the endpoints require authentication. In order to do it you have to call to the special /rest/authenticate endpoint, which will return a token.
This endpoint expects an API key to be provided. API keys are generated (and managed) from the command line. Run the api-key:generate command to get a new and valid API key.
At the Endpoints section you can find more information about how to perform the authentication request.
The token will expire after a week. You will have to pass it on every request in the Authorization header with Bearer authorization type, and every response will return the Authorization header as well, with a refreshed token which will last another week.
Example:Authorization: Bearer eyJ0eX...
If a token is not provided or the token has expired, the server will return an error like this, with a status 401:
"message": "Missing or invalid auth token provided. Perform a new authentication request and send provided token on every new request on the \"Authorization\" header"
If the token was properly provided in the Authorization header but the authorization type is missing or has any value different than Bearer, the server will return one of these errors, with status 401.
"message": "You need to provide the Bearer type in the Authorization header."
"message": "Provided authorization type <type> is not supported. Use Bearer instead."
All the tokens generated by Shlink's REST API follow the JSON Web Token standard. You can read about it at jwt.io.