All requests must be authenticated using OAuth. Please consult http://oauth.net/documentation/getting-started/ for an introduction to OAuth. OAuth libraries for different programming languages are listed at http://oauth.net/code/.
Long story short, you need a consumer_key and a consumer_secret. The consumer_key is a little bit like your username and is part of the request. As for the consumer_secret, well, it's a secret and must be kept to yourself.
The consumer_secret is used to generate a signature for the request. The signature is included in the request itself just before you send it. When we receive it, we generate the signature with your consumer_secret and if it matches the signature you specified, we know the request comes from you.
By default, you should be signing API calls using 2-legged OAuth. In other words, the access token and access token secret parameters are simply left empty. If every single request you will make to Context.IO comes from servers you (and only you) have full control over, this is a perfectly fine and secure way to authenticate calls and control access to accounts connected to your key.
However, if you're building a mobile application or a browser extension that will make direct requests to Context.IO you must enable 3-legged signatures for your API key.
A more generic way to explain this would be as follows: if your consumer secret is distributed in any way, shape or form on a server or in client code that isn't under your exclusive control, make sure your API key is configured for 3-legged signatures. This ensures that any distributed device that knows you consumer secret won't have access to accounts other than those added from the device itself.
With 3-legged signatures enabled, every account under your key gets a unique access_token and access_token_secret assigned to it when it is created (see the POST request on accounts for more info). These values will then be required to sign requests on that specific account.