ok so I'm not sure we're not getting tangled in confusing terminology here.
API Key = found inside your IS app and is iSDK api only
Client secret/id = values setup in Mashery to allow you to request the authorization to get access/refresh tokens (but is not the access token used for the api)
Authorization token = a token obtained for the sole purpose of providing a secure authorization request for a specific app from a user to authorize you access (this is when the allow/deny page comes in play)
Access Token = this token represents the authorized connection between you and the app that has been authorized. This is the token used for api access (OAuth)
Refresh Token = used to get a new set of access/refresh tokens to renew the lease which is 24 hours.
iSDK = the legacy, legacy api. uses the IS app key authentication but more recent versions have been adapted to use OAuth as well.
API = newer (now called legacy also) api that is structured differently than the iSDK but will only accept OAuth as authentication.
REST API = included within the API but does not need the API to be used and also requires OAuth to authenticate. Getting a valid access token can be done through the interactive io docs or by a simple app that facilitates this.
REST HOOKS = while you will need to validate your end point that receives information (needing a valid access token), after validation you would only need to handle the information as it is sent from IS.
XML-RPC = underlying method for API communication. This applies to more than one implementation of the available API's.
All the above that use OAuth for authentication will allow the same access token to work for making api calls. Most manage the refresh process by storing the access and refresh tokens with time to live in a simple database table and requesting a new set using the refresh tokens before it expires in 24 hours by scheduling a refresh service to automatically run.