OAuth defines two client types¹⁾. Flashii defines a third one which is only available for internal use. The client type is chosen upon registration of a client in the Flashii settings page and cannot be changed afterwards. Whichever type you should pick depends on the level of trust the application is capable of.

• Public clients are only issued a Client ID and no Client Secret as they lack the ability to store confidential values. An example of such a client would be one that performs its interaction with the API entirely on the user agent, there's not additional backend layer inbetween.
• Confidential clients are issued both a Client ID and Client Secret and are able to perform secure client authentication. As the name suggests, the Client Secret acts as a password and should be kept private on a backend server. Bearer tokens obtained through this method can still be used to make requests to the API directly from the user agent. If this is not desirable, the client backend server should implement its own session system so the access and refresh tokens can be kept confidential.
• Trusted clients are specific to Flashii and are an extension to the Confidential client type. Developers are not able to select this client type on their own and it is only meant to be used by official Flashii/second-party applications such as Patchii. Rather than asking for approval, authorization requests are accepted automatically.

When registering your client/application, you will be asked what level of confidentiality your client is capable of, but an easy rule of thumb is: if everything is client side pick public, if there's a backend server inbetween pick confidential!