Developers generally do not interface directly with Oracle HSM. The two exceptions are the libsam API and the libsamrpc API. These two APIs provide the same functionality. libsam is for a local machine only, while libsamrpc communicates to the MDS through rpc(3) to implement the requested actions. Authentication of requests made by either method is based on the UID and GID of the calling process. They have the same permissions as the requests made through the command line. Make sure you have a common UID and GID space for MDS and the client systems.
For more information, see the intro_libsam(3) and intro_libsamrpc(3) man pages.