# Authentication

Most endpoints use **Session Authentication**. You must include the session cookie in your requests.

**Required Headers for Authenticated Requests:**

* `Cookie`: Must contain `sessionid` (or `osessionid`) and `csrftoken`.
* `X-CSRFToken`: Required for state-changing methods (POST, PUT, PATCH, DELETE).

**Example:**

```http
Cookie: sessionid=abc123def456; osessionid=abc123def456; csrftoken=xyz789
X-CSRFToken: xyz789
```