Security: Implement modern JWT authentication for V3 CRUD and Search; update documentation and to-do list.

documentation/V3_FRONTEND_API_GUIDE.md

@@ -75,7 +75,35 @@ Use the `q` property in your search body for a general keyword search across ind
 
 ---
 
-## 3. Best Practices for V3
+## 4. Authentication in V3
+
+V3 supports multiple authentication methods. The backend resolves these automatically.
+
+### A. Standard Requests (Header)
+For most API calls, use the standard Bearer token in the `Authorization` header.
+
+```ts
+// Example: Setting the JWT in headers
+headers: {
+    "Authorization": `Bearer ${user_jwt_token}`
+}
+```
+
+### B. Secure File Downloads (URL Parameter)
+**Crucial for `hosted_file` and `event_file`**: To allow browsers to download files without complex header modifications, you can pass the JWT directly in the URL.
+
+```ts
+// Example: Creating a secure download link
+// GET /v3/crud/hosted_file/{id}/?jwt={token}
+const downloadUrl = `${BASE_URL}/hosted_file/${fileId}/?jwt=${jwtToken}`;
+```
+
+### C. Legacy Fallback (X-Account-ID)
+For development and backward compatibility, the `X-Account-ID` header is still supported but should be phased out in favor of JWT.
+
+---
+
+## 5. Best Practices for V3
 
 1.  **Use `view` for Rich Data**: Instead of manually joining data in separate calls, use `?view=enriched` or `?view=detail` if defined in the backend.
 2.  **Hybrid Search**: Use query parameters for simple toggles (enabled/hidden) and the POST body for complex logic.