...
The scope can either be set server-side, or on a request-by-request basis. Before granting access to the client systemapplication, the end user will be shown the scope for which the client application is requesting access. This is done so that the end user may understand what data they will be exposing to the client and has the opportunity to decline the access request.
The API allows grants access on a an end-user basis, so the API resources available to the client application will be limited by the end-user's native access settings. Furthermore, data returned by any request will also be limited by the end user's native access settings. permissions in Actionstep. Activity in Actionstep via the API will be logged against the authorizing end-user.
Tokens
All Access Tokens have a 30 minute lifespan and can easily be renewed via the OAuth2 token endpoint by using a Refresh Token which has a 14 day lifespan. A Refresh Token is returned with every Access Token issued.
...