alt Hacker NewsPKCE, OAuth 2.0 for Native Apps and the Device Code flow are a thing. In practice all of these clients work so well with OAuth 2.0, that the implicit and resource owner password credential grants have been removed from OAuth 2.1 and are the latest OAuth 2.0 BCP forbids the password grant and strongly recommends against the implicit grant.
... so, then, there is a need for something other than a shared opaque random string API key?
I feel like I'm being argued in a circle by a series of strawmen.