The cloud API only accepts HTTPS connections so your access token is always transported encrypted.
The issue is if you want to have a web page on a server on the Internet, you need to take steps to prevent someone from doing View Source on your web page to see the token. These steps are easy if you have your own web server and could be automated at the level of a pop up dialog asking for your username and password which would use the HTTPS Cloud API to fetch a new access token and store it securely on the server.
These steps to prevent your token being visible are harder or impossible if you are just serving up a static page from a web hosting service that doesn’t allow server side programming.
I think cookies really don’t apply here since the traffic is server to server, not browser to server.