Unless otherwise noted, all API requests rely on Bearer Authentication.
curl https://api.revenuehq.com/user \
-H "Authorization: Bearer some-authentication-token"
There are three types of tokens that can be sent in this header: a user session token, a user API token, or an application API token.
User session tokens and user API tokens identify a specific individual, and have full access to modify the individual's account. These tokens are interchangeable: anything you can do with a user session token, you can do with a user API token (and vice versa). These tokens inherit all scopes assigned to the individual by an application.
Application API tokens are created by admins and are assigned specific permission scopes. These tokens are best used in backend systems, as they can be rolled more easily and systematically than tokens associated with specific users.
Security warning:
In general, API tokens inherent all scopes of the underlying resource (whether a user or an application). However, user API tokens cannot be used to transfer ownership of an application.
User API tokens are also prohibited from managing the user's own API tokens or, if the user has privileges for an application, any application API tokens.
API tokens can only be managed via a user session token.