Ok, I searched in the Cockpit code and found something like api_key! That is working for me!
https://cockpit.local/api/content/items/Seiten?api_key=xxx
It’s always about the documentation 
But am I right for a secure setup:
- authenticate with users credentials (getting from something like a web form)
- check authentification with /api/user/auth
- save the api_key safely, and temporary on the Webserver (e.g. in a session) for current actions.