...
Not only does this kind of flow let the client application impersonate the user, but it also gives the user the peace of mind that his private credentials are only handled by MailUp. No username or password can be intercepted and stored by the client.
OAuth v2: 3-legged authentication - Authorization code grant flow example
...
3-legged Authentication
In the picture above you can view the generic operations involved in the authorization process, which can be divided into three main steps.
...
Developers that wish to use the MailUp REST API must first request a developer account 
get a pair of API keys*
Once logged into their MailUp developer account, they can use the Developers tab to request application credentials (client_id and client_secret). Without these credentials, the application will not be recognized by the authorization server and it won't be able to access the system. We recommend that these credentials are saved in a safe way (e.g. inside the application's non-public source code) in order to prevent any changes. The developer is responsible for keeping them secret and safe.
Please *Please contact MailUp support if the MailUp Dev portal is not accessible.
Authorization
The client application requests to be authorized to communicate with the MailUp REST API by sending its private credentials to the authorization server.
...
Token refresh
As the access token has a limited duration, it should be refreshed from time to time. This is possible by submitting a request to the authorization server. The two parameters to be provided are:
...
Basically, the application should check periodically the access token expiration date & time, or intercept the http HTTP status codes and handle them conveniently.
Related articles
...