The token proves to the storage that the app acts on behalf of the user. So even if you run a server-side or command-line app, it will use this login token to communicate with the storage.
There is another way to do this: your app server should host a foaf profille, and in order to “issue” a token to that app, the user edits the .acl file on the storage to list that from now on, not only the user themselves, but also https://cool-app.com/foaf#card has access to that folder. Then, instead of presenting a proof-of-id of the user themselves, the app provides its own proof-of-id, and the ACL on the storage pod allows it access.
As far as I know, there is currently no way to issue bearer tokens in the traditional sense. Some more discussion about this here: Read-only or sub-folder OIDC scopes?