The API is usually much easier to use than the direct REST calls especially the reasonably new Command Line Interface -- which is much more lightweight, and exceptionally easier to use as a result of the JSON integration, than the original by-product Command Line Tools
It's somewhere inside the documentation, but the following links seem to lead us toward an answer:
1) the high-level description of the "AUTHPARAMS" (as referenced frequently in the API documentation.)
The parameters that are required to authenticate a Conditional request. Contains:
2) a step by step outline of the parameters needed for a REST request:
3) the detailed outline of the method to derive the "signature" for the "AUTHPARAMS"
This is the example in the documentation (I've added new lines to make it easier to read)