All API calls on the Toornament APIs require your application to be authenticated. When accessing private data, your application must also be authorized to access the data. For example, accessing public tournament information does not require authorization, but accessing the user's registrations does.
The authorized access allows reading and modifying user data, both private and public. You may still be limited to the operations granted by the user's permissions.
An authorized access requires your application to be both authenticated and authorized. Such authorization is accomplished by using the OAuth 2 protocol.
Each API endpoint that requires an authorized access will also require a scope. In OAuth 2, a scope represents a set of permissions. When an application must access a particular resource, it must first obtain the authorization to access that resource with the appropriate permissions. For example, if the application wants to read private data, it should only request the authorization to read, not to write.