I have the same confusion too.
The following code example works in shopify python SDK
import shopify
url = f"https://:{admin_access_token}@mystore.myshopify.com/admin"
shopify.ShopifyResource.set_site(url)
shop = shopify.Shop.current()
print(shop.to_dict())
I mean, API_KEY is even not required. I explored a bit deep from my confusion.
What I found from pyactiveresource module was,
self.auth = base64.b64encode(('%s:%s' % (self.user, self.password)).encode('utf-8')).decode('utf-8')
Here,
self.password is definitely admin_access_token and self.user is either blank string or API_KEY is accepted. Yes, we are talking about custom app.
From debug log, Basic Auth header is found which is base64 hashed string found from the above code.
pyactiveresource.connection: request-headers:User-agent:ShopifyPythonAPI/12.0.0 Python/3.8.13
Authorization:Basic base64hashedstring
So, from my analogy, Python SDK is still using Basic Authentication without sending any X-Shopify-Access-Token yet it works.
This is confusing since,
official Shopify Admin REST documentation asked to Include admin access token on X-Shopify-Access-Token header on all API queries. But it is still taking Basic Auth in old fashioned way