From the Management API documentation it seems that user would need to share the manually generated
token or their
client_secret in order to generate a token.
Is there a way to interact with the Management API using OAuth so that at the end of the OAuth flow the output is an
access_token and a
refresh_token that will be later used to request a Management API token?
The recommended approach to obtain tokens for the Management API is to make use of OAuth2 client credentials flow like it’s mentioned in the documentation you linked to.
A refresh token for client credentials grant is a bit redundant because a refresh token is meant to represent a specific grant that was issued and which can be reused to obtain refreshed access tokens at a later time. This is equivalent to the client identifier and client secret because that information when used within the scope of client credentials grant is already sufficient to represent the grant in question and can also be used to obtain refreshed access tokens.
In conclusion, the answer to your question is no. If you want to give access to the Management API to a given application then that application will need to know a client identifier and a client secret and perform a client credentials grant.
Thank you for the answer @jmangelo, I’ll make sure to use the
client_secret in order to obtain tokens.