Answers from Engineering
1) No. APIv3 is available to all users who have access to ASM. However, users can perform only actions they can in the UI (everything is permission driven). In the future, the whole UI ASM application could be built on top of the APIv3 - all the logic will be moved from UI application to the APIv3.
2) There are 3 ways of authentication for APIs:
a) old API credentials. The same credentials you use for the old API, can be changed in the UI, even for SSO authenticated users. This could be removed in a future release.
b) API token
c) OAuth2 token (
For now, you need the old API credentials or your UI access token (from cookies) to create tokens 2b and 2c. In the future, there could be a frontend application for token management.