I understand the logic, but as a user I would probably create an account on my laptop. If I then would have to log in there and create a token, it’d be annoying to get it to my phone (either store & sync in a txt file or password manager comment, or type by hand).
Instead, if I have a username and password (what you call secret, I think), I could just log in on AntennaPod quickly using the password manager on my phone (which contains the credentials that I created on my laptop). AntennaPod could then submit those credentials to the API and if correct receive and store the token (not storing username/password) - without the user having to think about complicated strings.
Then (as in the new gpodder.net flow linked above) in the next step the user could give the device a name that is then sent to FD (to help recognise the device when managing the account on web).
It exists to open/add feeds, I guess a new scheme would need to be developed/supported for this case.
And one note to set expectations right: I’m happily discussing here with you and would love to see this implemented, but I’m not a developer so it’d be up to others to actually implement it. And whether they want to depends on interest, time, etc.