Applications must always use an OAuth token in the API request header called Authorization: in order to consume any of the APIs provided by AT&T.
An OAuth access token is obtained by invoking the OAuth API which triggers the authorization process. This process may involve interaction between the application and the API Platform only, as in the case of OAuth Token request, or it may involve interaction between the user's browser and the API platform. In the latter case, the secure interaction is initiated by the developer's application but the secure authentication is intentionally routed around the developer's application and, in so doing, assures the end-user that their user credentials are kept secure and are only passed between AT&T and the user's browser.
For more details on the difference between OAuth flows involving the user (authorization code type) versus flows not involving the user (client credentials type), compare and contrast the OAuth process descriptions given for the Get Access Token method and Get User Authorization method.