To be able to access the user’s resources (i.e. the things data) the user must have authorized the app to see these resources.
To check which resources has the user available we can call the GET /resources endpoint. Then, if we are interested in some of his resources we can ask the user to grant the app permissions to use them. For each resource and thing, there are three types of permissions: get, post and grant. Get and post are equivalent to read and write. Grant allows the app to grant this permission to more users.
When an app requests permissions, the platform sends a confirmation email in background to the user to check if the user is aware of this action. The user must confirm before the app can access the data. There is an exception, when the app is an official app the permissions are granted automatically.