From https://www.mediawiki.org/wiki/Topic:Vmwiwu073xo33eh5 (and a request on IRC)
Looking at https://www.mediawiki.org/wiki/OAuth/For_Developers#Authorization_2
When registering the application, you receive two pieces of credentials: the consumer token (a public ID for the application) and the secret token (sort of like a password).
Ask the user to authorize the application by sending them to oauth2/authorize under the wiki's REST endpoint (usually rest.php), with response_type=code and the client token (as client_id), and ideally also a request_url and state.
Where does the client token come from? Is it the "consumer token" mentioned above? If not, why is "client token" the only mention of "client token" in the documents?