When using “regular” oAuth the token is returned in step 3
Here is a sample request:
POST https://id.twitch.tv/oauth2/token
?client_id=uo6dggojyb8d6soh92zknwmi5ej1q2
&client_secret=nyo51xcdrerl8z9m56w9w6wg
&code=394a8bc98028f39660e53025de824134fb46313
&grant_type=authorization_code
&redirect_uri=http://localhost
You exchange the ?code= on the redirect for a access_token and refresh token
If using implcit
It’s only really available to the front end, via javascripts document.location.hash
For server to server/app access/client credentials it’s returned similar to regular user oauth in the POST request you make
Which token you attempt to get will depend on what you want to do with that token