Looks like token guard is just a simple token solution which is like using a password. TokenGuard is looking for the token in 3 places:
in the URL for parameter ?api_token=XXX
in the header for "Authorization: Bearer XXX". Which is used in JWT, Oauth, etc.
in the header for "Authorization: Basic XXX". Which is Basic HTTP auth where XXX is base64 encoded username:password. The password is used as the token.