Summary

The following links will guide you to create SharePoint Add-ins App with the required permissions. For security reasons, always have least permission access strategy to provide permissions to your app. Only provide permission access what your app intends to do, start with List, Subwebs, Webs, Site Collection and so on.

Add-in permissions in SharePoint

SharePoint Add-In — Permission XML cheat sheet

The following three URLs will be handy, the first one is to register a new app, second is to set the permissions for the app and third one is to list apps you or others have previously created.

1. https:// [Your SharePoint Site URL]/_layouts/15/AppRegNew.aspx
2. https:// [Your SharePoint Site URL]/_layouts/15/AppInv.aspx
3. https:// [Your SharePoint Site URL]/_layouts/15/AppPrincipals.aspx

Step By Step

Step # 1 Once you have created the Client ID and Client Secret you want to create PowerShell Function as defined below. The first code block is to set required variables and second code block is to define a function to get an access token for the app.

# Add-type is required for the use of System.Web.HttpUtility
Add-Type -AssemblyName System.Web

# SET VARIABLES
$client_Id            = '[TODO SET CLIENT ID]'
$client_secrect       = '[TODO SET THE SECRET]'
# The secret should be url encoded.
$client_secrect_enc   = [System.Web.HttpUtility]::UrlEncode($client_secrect)
$TenantID             = '[TODO SET YOUR TENANT ID]'
$TenantName           = '[TODO SET YOUR TENANT NAME]'
$siteName             = "[TODO SET YOUT SITE RELATIVE NAME]"

# This function is to get an access token for the app.
function Get-AccessToken()
{

    # form an url with your tenant ID
    $url = $("https://accounts.accesscontrol.windows.net/{0}/tokens/OAuth/2" -f $TenantID)
    $headers = @{
        'Content-Type' = 'application/x-www-form-urlencoded’
        'Accept' = '*/*'
    }
    #create a body
    $body = $("grant_type=client_credentials&client_id={0}%40{1}&client_secret={2}&resource=00000003-0000-0ff1-ce00-000000000000%2F{3}.sharepoint.com%40{4}" -f $client_Id,$TenantID,$client_secrect_enc,$TenantName,$TenantID)
    # make a call
    $item = Invoke-WebRequest -Method POST -Uri $url -Headers $headers -Body $body -UseBasicParsing

    $res = ConvertFrom-Json $item
    return $res
}
// %40 is @ and %2F is /

Step # 2 Now the next step is to use the above function to get an access token.

function get-top-100-items()
{

    # Get an access Token
    $response = Get-AccessToken

# form the REST URL to make a call to get items from a list.
$url=$("https://{0}.sharepoint.com/sites/{1}/_api/lists/getbytitle('DEMOList')/items" -f $TenantName, $siteName)

#set the header pass the token type and access token.
    $headers = @{
        'Authorization' = $(“{0} {1}” -f $response.token_type,$response.access_token)
        'Accept' = 'application/json; odata=verbose'
    }

# make a REST call with the url and header
    $item = Invoke-WebRequest -Method GET -Uri $url -Headers $headers -UseBasicParsing

    # The following is to error
    # ConvertFrom-json : Cannot convert the JSON string because a dictionary that 
    # was converted from the string contains the duplicated keys 'Id' and 'ID'.
    $strContent = $item.Content -creplace '"Id":','"Id-minus":'

    $items = ConvertFrom-Json $strContent

    return $items
}

function main()
{

    $AllItems = get-top-100-items

    $count = $AllItems.d.results.Count

    for ($i = 0; $i -le $count; $i++)
    {
        $Title  = $AllItems.d.results[$i].Title.Trim()
        $rowID = $AllItems.d.results[$i].ID
   }

}

Conclusion

The above steps provided a way to make a SharePoint REST call. This is a sample ways to make a call in PowerShell you can replicate same method in any other language.

Keep the following SharePoint REST Wall Poster as a reference.

SharePoint 2013 REST Syntax (wall posters)