Aaron Parecki
Yes exactly. In that diagram, the example is a Vue.js client-side app. This post doesn’t use a framework, and instead uses plain JavaScript.
In both cases, the assumption is that the client-side app will be calling other API backends (not drawn in that diagram).
You would use the access token obtained in the flow as a bearer token sent to the API, preferably in the HTTP Authorization header. The client-side app should not do any validation of the access token itself, as that is entirely the job of the backend API.