Authentication is provided via OAuth 2, draft 13. At present, only the code and token authorization response types are supported. Client IDs have secrets, which must be passed for code token exchange requests. Issued tokens are bearer tokens with no secret and no expiry. Refresh tokens are not supported. Possible scopes are explained here.

The authorization endpoint.
The token exchange endpoint.

You'll need to obtain a client ID to use OAuth 2.

Demo code showing how to implement both server-side and client-side auth is provided on GitHub. You can see it in action here.