Use the -t option with cf to see the HTTP request for a login:
request: post http://login.myip.xip.io/oauth/token
headers: {"content-type"=>"application/x-www-form-urlencoded;charset=utf-8", "accept"=>"application/json;charset=utf-8", "authorization"=>"Basic Y2Y6"}
body: grant_type=password&username=myuser&password=mypwd
I'm not sure I understand the second question. You login with a user/pwd and get the access token, then send that token with subsequent requests.