The invalidation API requires secret key authentication in order to be accessed. You can find information about how to set up and get your secret key here. Once you have it in hand, put it in the header named "mrf-secret-key". Please keep in mind that invalidating content accept POST requests.
Here is an example of accessing a secured endpoint with the secret key using curl: