Admin API: Requires admin.read scope and a SuperAdmin or TenantAdmin role. Requests are scoped to the authenticated user's retailer via the tenant_slug claim.