In OAuth the Bearer token is usually not your client secret. You use your client secret to exchange the activation code you got from the authorization endpoint for the Bearer Token.
At it's core the flow is as follows: The Client (Relying Party, RP) sends the User Agent together with the request to the Operator (OP). This request contains the kind of request (code for the Authentication code flow, token for the implicit flow), the scopes to which access is requested, and a redirect URI for the OP to return back to the RP. OP authenticates the user to an OP specific procedure. OP redirects the user to the Redirect URI, back to the RP, with the result of the authentication (error message in case of error, authentication code for the authentication code flow, bearer token for the implicit flow).
In the Implicit flow you are done and can use the Bearer Token for the API Calls as in your example. For the Authentication Code Flow, you (the RP) received an authentication code which needs to be resolved. To do so the RP needs to call the Token endpoint of OP to exchange the code for the bearer token. This includes some form of authentication of the RP against OP. This can either be by using the HTTP Basic Authentication header (base 64 encoded "client_id:client_secret") or by sending the authentication data form encoded as POST body (besides the code) or by using a MAC with the client secret, or by using private key cryptography to sign a blob of data.
So exemplary the flow is something like this:
1) User clicks link to
https://oauth.example.com/auth?client_id=xxx&scope=profile&state=yyy&response_type=code&redirect_uri=https%3A%2F%2Frp.example.com%2Fcallback2) Browser opens url, allows user to login (or use cookie to automatically login)
3) Browser redirects user to the redirect uri "
https://rp.example.com/callback" with the response encoded as GET parameters:
https://rp.example.com/callback?code=zzz&state=yyy4) Server at
https://example.com/callback checks for the session that is associated to state yyy.
5) Server sends POST request to token endpoint, e.g. at
https://oauth.example.com/token with header: "Authorization: Basic AUTH" where AUTH is Base64(client_id + ':' + client_secret) and POST body is "grant_type=authorization_code&code=zzz&redirect_uri=https%3A%2F%2Frp.example.com%2Fcallback" where zzz is the authorization code received in step 3 and redirect_uri is the same as used in step 1
6) OP returns JSON response containing the access token { "access_token": "TOKEN", "token_type": "Bearer", "expires_in": 3600 }
Now after this procedure you can use the access token TOKEN in the "Authorization" header for all the following requests as it is shown in the example you posted.
For futher information I can highly recommend looking at the
examples from the OIDC specification. While it is OIDC, OIDC builds upon OAauth2, so there is everything you need to know. Just ignore everything related to the "id_token"