What is a scoped access token and do I need it?

I’m creating a web server-based application for a Particle powered product. This will use Two-Legged authentication.

In the process described in the documentation, there’s a step I don’t understand - creating a scoped access token.

First your OAuth client is created (one-time). Then, to create a customer, there’s a POST to https://api.particle.io/v1/products//customers to create the customer.

After that, the documentation (Tutorials > Device Cloud > Authentication) shows a POST to https://api.particle.io/v1/products/:productIdOrSlug/device_claims to create a claim code for the device.

But, in searching the forum and also in the Authentication article there’s a reference to creating a scoped access token as a step between creating the customer and creating the claim code? Is this right?

I can’t seem to find more information about what this is, what it does, and, if it’s absolutely necessary. It would seem that after you create the customer, you should just need a claim code?

…or, is this the access token needed for the customer to interact with the Particle Cloud? But it looks like the customer creation endpoint returns that?

Can someone elaborate?

By looking at the URLs in the various examples and documents, I think I know the answer.

The device claim API/endpoint needs to receive a scoped access token for authentication, which, is the same kind of token a developer uses in the IDE or in an application to access the Particle Cloud API.

I think the token returned by the create customer API is temporary and is supposed to be used to get this scoped access token for Particle Cloud API use.

…right?