Please find more information here.
The documentation states that I need a return uri does this mean that the authorization part always needs to be done in a browser window?
I guess it depends on what you want to do...
My use case is to manage TV accounts from our internal user management program.
To avoid having to get a new bearer token every 24 hours, we have created a "impersonate" TV account - then create a script token under the profile settings for this user.
This is also preferable when creating users, since the email uses the TV account for sender info and name in the "account created for you" email.