If you are developing an OAuth server to control the authentication, that server (your cloud) is the Third-party (a cloud external to SmartThings).
When the user login into your OAuth server, you need to return an access token code.
Check this sample where an OAuth server is included for testing purposes and you will be able to check how the access token is generated randomly (You can set your own mechanism).
3. The grantCallbackAccess is not needed unless you want to send updates from your cloud to SmartThings, for example, when the device status is changed manually and not from the ST mobile app.
Check more details about its configuration in the Node JS Schema Connector SDK repository and let me know if you have any doubts.