Full API permissions are obtained by POSTing your username and password to [base]/adminsessions.
Your users authenticate to Respoke using an App-Token obtained when they POST your tokenId to [base]/appauthsessions.
An end-user client posts a tokenId from POST [base]/tokens to authenticate to an app as endpointId.
By using the App-Secret header, you can perform API calls to obtain Respoke sessions for your users via POST to [base]/tokens. App-Secrets are found in the Dev Console.