That’s all a bot uses to login with.
It uses the username as the login
And the oAuth token as the password
It doesn’t use a clientID.
Generally you will use your own oAuth generation loop in order to generate a token to login with, which would need a webflow and a clientID + secret.
This sounds like you’ve grabbed tmi.js off the shelf and someone elses token generate to get going.
There are a number of criteria at play here.
“regular” users can’t repeat the same/identical message in a 30 second window.
If you were consuming NOTICE/USERNOTICE and/or raw logging you would see a suitable alert.
TMI.js will often hide these and not all people catch them.
You need something more “raw” for learning with that a library that will interprete errors for you.
Example: https://github.com/BarryCarlyon/twitch_misc/tree/main/chat
And add a console.log to line 201 for example
This exmaple logs into chat anonomously, but you can see on lines 69/70 where you would substitute a result username and oAuth token.