After first call to Token, proceed to Credentials List endpoint. Use access_token to authorise against the rest of the flow. After second call to Token, proceed to Sign Hash. For Sign Hash, use the access_token from the first Token call to authorise (include the token in the header), and use the second access_token retrieved from the second call to Token to supply SAD (a special token with limited lifetime which authorises the signing of the payload itself).
Try It!to start a request and see the response here!