You only have two choices of bearer tokens
- use your credentials
- use your users credentials
without asking for user authentication
that removes option 1)
with no backend
that would require you to expose your credentials in the frontend. If you need to access restricted endpoints, this is a no-go, because you’re basically broadcasting your password. This is what is meant by
since App Tokens should not be used on the client
The last option is to only query publicly available data on the API. Then you would only need to put a Client-ID in the frontend. Still not recommended, but at least not giving out credentials.