Getting the access-token can be implemented either from client side or from your server which is the more secure solution.