There are two ways of authenticating requests when performing actions on behalf of an application.
For server side integrations, you authenticate by providing your application's Server API Key and Server API Secret via HTTP Basic Auth's username and password respectively.
If you're planning on making requests from a client-side application, you are required to set your application's Origin whitelist setting which authorizes specific origin hostnames to make requests with your Client API Key via HTTP Basic Auth's username.
Remember, that should you never expose your Server API Key or your Server API Secret in any public website's client-side code.
All API requests must be made over HTTPS.