Instagram’s API uses the OAuth 2.0 protocol for authentication and authorization. OAuth 2.0 allow developers to start using the Instagram API almost immediately. All requests to the API must be made over SSL (https:// not http://)
For the most part, Instagram’s API only requires the use of a client_id. A client_id simply associates your server, script, or program with a specific application. However, some requests require authentication – specifically requests made on behalf of a user. Authenticated requests require an access_token. These tokens are unique to a user and should be stored securely. Access tokens may expire at any time in the future.
In many situations, you may not need to authenticate users at all. For instance, you may request popular photos without authenticating (i.e. you do not need to provide an access_token; just use your client ID with your request). Authentication is required in cases where your application is making requests on behalf of a user (commenting, liking, browsing a user’s feed, etc.).
More resources for developers on Instagram website.