An Alfresco application uses the OAuth 2.0 authorization code flow to authenticate itself with Alfresco Cloud and to allow users to authorize the application to access data on their behalf.
You first register your application on the Alfresco Developer site. You provide a callback URI, and a scope. Registration will provide you with an API key and a key secret which are required by your application to authorize itself. When a user runs your application, the application requests an authorization code from Alfresco using its API key, key secret, callback URI and scope. Alfresco will inform the user that your application wishes to access resources, and asks the user to grant or deny access.
If the user grants access, Alfresco returns an authorization code to the application. Your application then exchanges the authorization code for an access token. Your application can then call the Alfresco CMIS API and the Alfresco REST API with the access token.