Sounds about right yeah.
And yeah you shouldn’t leak your generated oAuth access tokens, user tokens are ok since they are the users own tokens. But an oAuth token is basically like a password and should be treated as such.
Doing it server side also means you can minimise the API requests you make as you can cache the data in your server