All NxtOne APIs are authenticated with scoped, time-bound tokens.
Issue tokens from the NxtOne dashboard with a fixed scope (read, write, admin) and expiry.
Pass tokens as `Authorization: Bearer <token>` on every request.
Tokens can be rotated at any time without disrupting active sessions.