This page suggests "OAuth Authorization code flow" but i don't believe this is correct because for a chatbot to be effective you would need the access token to never expire or the process to handle expiry and refresh to be event driven. Having a robot/non-existing user login seems misleading or wrong.