There are two main use cases for HCSS APIs: 1) interacting with your own data, and 2) interacting with other companies' data with their permission. The first use case is most common.
Interacting with your own data
Since all of the data is owned and controlled by your company, your application can interact with that data in any manner that you require. (The data interaction is still limited by API Scopes). No user interaction is required for this workflow, making it ideal for server-to-server or background applications. This use case corresponds to Client Credentials Authorization, and is by far the simpler of the two.
1) Windows service that automatically syncs changes in your accounting system to HeavyJob.
2) Web job that polls for new employee skills and uploads those skills into a 3rd party Learning Management System.
3) Custom website for entering time card materials and quantities for a given job within your company.
Interacting with other companies' data
Because this type of application interacts with other users' data, explicit user consent is required. When attempting to access a user's data, the user will first be prompted to allow access to your application. If they deny access, they will not be able to use your application. If they accept, you will receive an access token that represents that user. (And you can interact with data on their behalf.) This use case corresponds to Authorization Code Flow.
1) Mobile app that enables users to clock in and out of a worksite, and exporting that data into that company's time card.
2) Displaying an HCSS user's job list in a 3rd party construction application.