Just to add a bit more - there is likely an end point somewhere in the API where you can generate token.
Usually this is the end point where you send the username and password and get back a token.
The token is what you use in subsequent calls to make use of the api. In part, so you don't have to keep sending you're username and password everywhere all the time. There can also be another benefit which is that you can limit the scope of a token to certain specific data or functions.
Your workspace(s) might start with a "Login" call which will give you back a token, this token can then be used in the Authorization header. After a while the token will expire and you'll have to generate a new one.
There are a few different ways token authentication can get implemented but it's often roughly the process outlined above.