If you are building a CI-related service, it is sensible to design it to accept Taskcluster credentials for authentication to its API methods.
This is quite simple: call
from your backend with the appropriate parts of the HTTP request. Then verify
that the returned scopes satisfy the scopes required for the operation being
protected. There is no need to "register" the scopes you would like to use,
but see the namespaces document for guidance on
selecting appropriate names.
The advantage of this approach is that it facilitates service re-use: anyone who is familiar with Taskcluster APIs can call your API, whether from a task, the command line, the browser, or another service. Furthermore, the backend never sees the credentials, just the Hawk signature.
If you build a user interface around this approach, it is safe to display the
clientId to the user so they can recognize the login. Just be cautious of the
warning in the guidelines section regarding using
clientIds for authentication.