The Content Delivery API uses API Tokens for authentication:
Authorization: Bearer <YOUR-API-TOKEN>
You can find your read-only API token in the Settings > API tokens section of your administrative area, or generate a new token with more specific permissions:
Regardless of which API token you use, make sure that the "Access the Content Delivery API" or "Access the Content Delivery API in Preview Mode" flags are enabled, otherwise the API token will not be able to make calls to the CDA.
If you want to restrict GraphQL access only to a selection of your models, you can generate a custom API token and assign it a custom role.
If an API token can only access specific models, any other field will be completely hidden from the GraphQL schema and response, eliminating any potential information exposure.
On projects created before January 8, 2024 — and that have not explicitly activated the "Improved GraphQL Security" update — the behavior will be slightly different: you can read all the details in the related product update.