API authorization is handled through the use of the Authorization header. A valid API key must be passed through this field on all requests.

Note that there are 3 API Key scopes available:

Reporting - This is a fully permissioned reporting API key with access to marketing analytics reporting, game analytics, user-level reporting, and unattributed goals. Generally this scope is used internally by the game developer/publisher.
Aggregate Reporting - This is a restricted reporting API key with access to the marketing analytics reporting for a specific set of teams. This role doesn't have permission to game analytics, user-level reporting, or unattributed goals. This scope is commonly used when providing external parties such as agencies programmatic access to their campaign performance data.
GDPR - This scope allows you to make Data Access, Right-to-Forget, and Opt-Out requests for user data.

You can find more details about provisioning API Keys on the API Key Management guide.