It seems the current oauth2 is admin level only and the token response does not even show who the installer/authorizing user is.

We build integrations for users of a location and would prefer to get a user token (obeying user-level permissions) from the oauth2 flow.

We can continue using the current admin-level flow for now but at least knowing which user authorized the access would be useful.

By the way, at the moment any non-admin user can go through the oauth2 flow and get a location access token. This does not seem right because the token gives admin access to a non-admin user.