ProvisionPoint authenticates with your Azure AD tenancy to communicate with your SharePoint Online instance. This is great for you as it means you don't have to run or maintain any code yourself, you just securely connect your SharePoint environment to ProvisionPoint and get going.
ProvisionPoint uses industry standard security practices, in line with Microsoft recommendations. An administrator of your organisation will 'Trust' the ProvisionPoint app, and your users will authenticate to it using their normal organisation credentials.
Queues and Workers
Some SharePoint operations take a long time - like creating Site Collections, for instance. Rather than making the requestor sit there and watch a spinner for 15 minutes, ProvisionPoint pushes all SharePoint-related requests to a queue for processing separately. This can tick away in the background and when things have been finished the user will be notified.
Using a queue also means that we can keep a history of everything that's happened to each site. We can retry failed requests, and won't ever overload the system.
Of course, you manage all the apps allowed to connect to your Azure AD tenancy - so you can choose to change or remove access whenever you like. You can stop ProvisionPoint at any time.
We like pictures too - so we sketched one out to explain what's going on...