I did it. It took too many hours of fighting, thanks to bad and conflicting documentation (mostly on the API side) and a good measure of clueless newbieness, but I did it.
I’ve got an app working that runs through the entire OAuth2 process for my local grocery store’s API. It gets an authorization code using the Webviewer (with a redirect to a page with some javascript that sends back the authorization code as a Webviewer message, using this thing: GitHub - thunkable/webviewer-extension: Communicate between the Thunkable Web Viewer and a website ), then it switches to WebAPI to get get an access token and refresh token with that authorization code.
But oh man, that debugging. Every single attempt, I had to redo my log in on the grocery store’s website (since I couldn’t yet get the authorization token that would have let me skip it). If I ever log in manually to the grocery store’s website again manually, it’ll be too soon.
Next goal: Put something in my shopping cart! 
