Thanks for the quick answer!
Taken I don’t want to pull user through authentication at all, I’m guessing I should use 2nd option you mentioned:
However, as I mentioned it, I tried it already and when using User B’s oauth, it responded with “Client ID is missing”.
When I created the app (leaving redirection to “https://localhost”, because noone should ever authorize there or go into any links) and copied the Client ID, it throws error “Client ID and OAuth token do not match”, so still not that.
So I don’t see how I can do it with just User B’s oauth token without sending anyone through authorization, as you proposed…