You only need to use basic auth on your call to the token service (which shouldn’t be exposed publicly). From that point on, use the token service to generate bearer tokens for continued authorization.
Code examples here: https://erphelp112300.zendesk.com/hc/en-us/articles/16639963843213-Setting-Up-Data-Security (you’ll need to be logged in to Epicor for the link to work, or simply search REST Services Guide within Kinetic, then in help navigate to Troubleshooting & Security > Setting Up Data Security).