Due to upcoming changes to the Twitch API, you don’t due to oAuth requirements (unless using implict auth but you don’t want to authenticate random website visitors)
This indicates you didn’t set the required version header as documented
This is wrong, you need to use the channel ID and the client_id should be sent as header
So you are potentially leaking your oAuth token in a webpage to other users? Assuming you have not used implicit auth? This is not allowed, an oAuth token is like a Password, and shouldn’t be left in front end code, where others can see other peoples tokens.