When I use postman myself i stick to oAuth2 with client credentials grant type.
I coped the Client id and client secret from a service user I created within the Manager UI.
There is probably a better solution out there though (possibly the “authorize using browser” option)
Be aware that our tokens expire very quickly.
/asset/query is the endpoint we often use to get assets from the database, since we can filter on several fields using http parameters.