You can’t do this securely with OAuth or the legacy api key from within javascript. It exposes you secrets publicly. For either scenario you should have some backend service. With OAuth you can authorize yourself and store that access token and refresh token and handle the refresh on your backend. There are other options for web form submits like the word press plugin if you happen to have a word press site (there are others as well).
You can conceivably do this securely but you should take some things into account. First, you’ll have to call php scripts local to your server from within JS. Second, when calling scripts you have to make sure to call them relative to the server path NOT with a url. Using a full url sends it out over the internet and back again, exposing private information. So http://www.thissite.com/endpoint/ should only be called as …/endpoint/ which ensures everything remains local. You could even make local AJAX calls to scripts as endpoints and implement it as a full REST solution receiving JSON/XML back to the JS caller. When doing this, however, NEVER call out to anything outside of the server except by way of the standard api methods.