I had it generate the token purely because the remote app had that code in place, so did a copy/paste.
It’s not actually doing anything, so I can take it out without issue/breaking anything.
Sorry, when you said “You can’t do it” I thought you meant it was impossible, not that I wasn’t allowed to do it 
So it’s just getting my code to spot the onAuthorised call from Twitch. I tested it yesterday in the developer rig, and I didn’t get any response from it… so I figure I’ve done something wrong.
I uploaded your server.js to my host so that I can access it. Would it simply be a case of pasting your script.js code in to my front end, and getting the two to contact one another?