Access tokens can be created on behalf of a user or on behalf of an account.
User tokens
User tokens enable actions to be performed on behalf of the user that authorized their creation. If enabled, any user can authorize your app to create a user token on their behalf.
With the proper scopes, a request authorized with a user token can do anything that a user could do on their own behalf (e.g. create projects, edit projects, etc.).
Account tokens
Account tokens enable actions to be performed on behalf of an entire account. Only admins on an account can authorize your app to create a token on behalf of the account.
Unless specifically intended, admins can't create tokens with scopes that can do things that they themselves can't do. Once created, the token is no longer associated with the user that created it.
Anyone who has access to the token can use your app to perform the administrative actions allowed by the scopes on the token, whether or not they would be able to do such actions without the token.
Access token endpoints
The token creation flow is equivalent for users and accounts, except for the authorization url. Users will also see slightly different descriptions on the consent screen for the requested scopes based on whether permission is being granted for a user token, account token, or partner token.
- User token endpoint:
https://marq.com/oauth2/authorize - Account token endpoint:
https://marq.com/oauth2/authorizeAccount