...
Anonymous users are identified by username and password. You create them explicitly for your untrusted devices.
Derived users are identified by their username only, specified by
X-User-Identifierheader. The value is up to you, usually a stable hash of your internal user identifier. A derived user is automatically created if it doesn't exist already. It is unique for the client.
...
To communicate with Gini Pay API from untrusted devices, acquire a token from Gini Pay API for the user and hand it over to the untrusted device. The user is derived/created from X-User-Identifier header. The value is up to you, usually often a stable hash of your internal user identifier.
...
When you communicate with our API from a trusted device using client credentials (option 1), a derived user is automatically created for a given X-User-Identifier when it's specified for the first time. From then on, the derived user stays fixed for this client ID and X-User-Identifier. You can also acquire an access token for this user, so it can be used by an untrusted device. This scenario is valid when you have both trusted and untrusted devices communicating with our API and you don't want client credentials stored on an untrusted device.
...
Obtain the client token using client credentials
Create a new user using the client token
Log in on behalf of the user and acquire an access token
Make API requests with the access token
Access tokens expire. So the last two steps should be repeated to refresh the token and hand it over to the untrusted device for use.
...