Access tokens

Is there a description or overview anywhere of all these access tokens and which can/should be used for which things with which headers or the like? That is, is there a design to the security model?

I’ve gone through many of the combos personally and most don’t authenticate for me. It’s difficult to tell, though, whether I’m doing it wrong or whether that’s expected. Finding combos that work seems to be purely a question of chance and a lot of tedious work.

Also, api vs git vs curl vs etc. Are these using the same authentication model or database?