That looks like an authorize code, not an access token, so your client now needs to use the authorize token to request an actual access token.
Either that, or you change the grant request type use “token” (response_type=token) when you make your initiali authorize request. Then you won;t need the secret.
I made this earlier to help people out with the OAuth flow: