I think (I’m guessing here) the answer to my own question lies in the fact that these details are not available to unauthorized users of the API (i.e. they can only be accessed by the station owner). In which case the Oauth2 flow is required.
@dsj sorry to badger when you are busy with Tempest, but can you comment on what progress has been made with this? Is it possible to implement Oauth2 authorization in a third party application yet?