2020-03-30 UTC
# 
Zegnat swentel: if you want some way for the app to get a token right from a token endpoint (in your case your Drupal backend), maybe consider QR codes? Your app would scan the QR code through the camera, that way the token never touches user UI (no email, no clipboard). It could then also be easily explained why it is one way: the app does not have an option to expose the token a again, it does not generate QR codes.