Then if the script is being distrubuted.
You would be using oAuth implicit auth only (to prevent leaking your client secret).
You would then want to use the “temporary webserver” approach.
So that when a user clicks “auth” it starts a temporary web server to capture the token with.
And the redirect URI for that is gonna be http://localhost:someport
Just pick your port wisely