The ClassApp API uses OAuth2 over SSL for authenticate and authorization.
To access most of Query or Mutation, ClassApp API requires access token as authorization header for each request. Each Entity has a specific access_token that defines scope permission, such as ADMIN, STAFF or STUDENT.
Once application is created, it returns a Client ID and Client Secret. A Client ID is used to identify which application wants to access specific data. A Client Secret is used to authenticate the identity of the application.
Confused ? Maybe this OAuth2 explanation will help.