Most of our Ingestion API calls such as Import Events, Track Events, User Profiles, and Group Profiles only require a Project Token. Because these APIs are often called from our client-side SDKs, we do not want to expose credentials, but we do need to know which project to send data to so we use the Project Token for that purpose. However, a few of the more powerful APIs such as Lookup Tables do require authentication. For these, it's recommended to use a Service Account. We also have legacy support for Project Secret but suggest any new integrations use a Service Account.