Just an update, since our ssl can be HTTP/2 a header field needs to be lower case. I have updated the API to accept 'x-api-token' as well (used to only accept 'X-API-Token' and I suggest others update their header fields. The upper case version will still work since cloudflare converts it for us.
Source:
Section 8.1.2 of RFC 7540
So if you were randomly receiving {"ERROR":"You must be authenticated to use this API."} this has been fixed.