Sure it’s the users own token.
But normally you would use sessions so the only thing you send to the user is a sessionID.
And when the user loads a webpage the session is loaded from the session store and that will have their Twitch Access Token attached to it.
This example
Uses NodeJS with Express and Express sessions to manage access to server side resources.
So I don’t send the users token back to the user, I only send them a sessionID