Most developers hit a 403 on their first Copilot API call — not because of a misconfiguration, but because the Retrieval and Search APIs are delegated-only by design. This post maps the auth model, exact permission scopes per API surface, app registration choices, and SDK options into a single decision-support guide you can work through before writing your first integration call.