After further investigation, I don’t think this is possible, at least not in my case. The M2M app has “Token Endpoint Authentication Method” set to “POST” which requires a client secret to get a token back. My client side code doesn’t have the secret, and if I set the auth method to “None” it’s weird because then what does the M2M app do with the secret?