In order to access OAUTH protected Rally APIs, the application developer needs to authenticate to Rally with the username and password that was used to create the developer account on the rally.io site. See OAuth Overview for details.
The user can initiate the transfer via v1/transactions/transfer/initiate API. The system checks the app eligibility, creates a transaction record and returns a transaction id.
The user can check the transaction status with the transaction id that was returned in the previous step. The API endpoint is v1/transactions/:transactionId/status
Assuming the user has sufficient amount of coin to proceed with the transfer, an email is sent to the user. The email has a link to a Rally.io confirmation page where the user can approve or reject the transaction. The user has 60 minutes to approve the transaction, otherwise it becomes "expired".