API Authentication

API keys, Basic auth, Bearer tokens (opaque vs JWT), HMAC request signing, mutual TLS, refresh-token rotation, scoped permissions — what bytes each one actually puts on the wire, how the server checks them, and what an attacker holding them can do.