Am i getting this right? https://www.instagram.com/developer/authentication/
A visitor of a website that calls the Instagram API must login with their own account in order for the application to fetch data from the Instagram API?
Certainly it's the best way to do it.
Until June 2016 it's also possible to use client-id to make requests despite of access token. But this is deprecated, so don't use it.
From Instagram:
The Instagram API requires an access_token from authenticated users for each endpoint. We no longer support making requests using just the client_id.
To avoid users must login, you can authorize your user to create an access_token and make all requests with this token. But it's not a good idea because of the rate limits on the API.
From Instagram:
All rate limits on the Instagram Platform are controlled separately for each access token, and on a sliding 1-hour window.
And Global Rate Limits:
Sandbox Mode - 500 requests/hour
Live Mode - 5000 requests/hour
So if you use just one access_token you will be limiting to 5000 requests per hour (live mode) to all users of your site and your app access could easier be blocked by Instagram.
The best and safer way is to force users to login with Instagram, generate an access_token for each user and then perform requests using users token (with 5000 requests per user, per hour).
Good luck.