The Client_Id and Client_Secret is the API registration, and your understanding is correct that it refers to your client application, however the same registration details are used for any number of Collaborate users to use the API calls. The generated OAuth token is always related to a specific user. From my understanding this is how OAuth works in general, and this implementation is not specific to HighQ or Collaborate. 

Ok so you are referring to step 2 (Generate a OAuth code). What I couldn't see in the documentation was how the user is specified as there isn't an example.  The only parameters appear to be the Client_ID and Client_Secret but I thought those would refer to our client application (of which there would be 1) calling the Collaborate API and not the individual users (of which there would be 5).  Are you able to clarify this point please?

Jim Page The user account is specified when you login to Collaborate to generate the OAuth code, the OAuth token created  after that step is automatically associated to the user account which was used to create the OAuth code. Any API call made to the server using the OAuth token is then made based on that user account, there is no impersonation capabilities available through the API at this point. In your example if there are 5 users, then a separate OAuth token is to be generated for each of them, and using their OAuth token you can get the content specific to their account. 

With regard to API permissions, this states 'During the OAuth handshake a user account is associated with each API token', however looking at the 'API Access Mechanism Using OAUTH2' instructions I can not see where the user account is specified.  Is my understanding correct that if a collaborate instance has 5 users then the API can be called and effectively 'impersonate' any of those users, so for example if calling GetSiteLIst I could get a different list of Sites for UserA and UserB depending on the user I was calling the API under?