Hello @athomas,
In your first use case, response type token implies the use of the implicit grant flow, which results in an access token being sent directly back to the app via the front channel.
In your second use case, response type code implies you are using the authorization code grant flow. The authorization code that is returned is not an access token (AT). The authorization code needs to be exchanged for an AT at the authorization server (AS).
As I mentioned previously, getting metadata into the access token requires using rules to add custom claims.
Note that it is now recommended to avoid using the implicit grant flow due to inherent weaknesses in that flow. It is preferable to use auth code + PKCE for single page apps.