I’ve not come across the client credentials flow being used with SmartThings before. That’s not to say it might not be used internally but it is usually the authorization code flow that is seen.
SmartThings have SDKs to support using Node.js SmartApps, as well as example OAuth-In apps, which have also been known as API Access apps (example).
I posted a comment in another thread showing the flow outside the context of actual apps.
The deal with PATs is that ST have become concerned by potentially extremely powerful tokens with fifty year lifespans being used in production contexts that they weren’t ever intended for. Freshly created PATs now have a 24 hour lifespan and in use the API is rate limited in certain contexts. Existing PATs created before the end of last year remain as they were.
Unfortunately PATs can’t be effectively replaced by SmartApp tokens in all the cases they have found themselves in. SmartApp tokens work within single Location contexts which is fine for day to day operation. PATs also allow you to do administrative tasks at the user account level. Setup of apps is an example.