It would be best to avoid sending the token to the client at all if it is possible. This is because even if there is the slightest chance you can avoid some malicious toolbar/extension accessing your JS and accessing the token its very bad for the user and yourself.
You also have control over what the access can do.
For example if it were facebook and you published it to the client. It could be used to change their status for example, in your app's name. On the server where the token isn't exposed, this would not be possible.
You would also not be aware of changes made from the client, whereas you always would be on the server.
Unless your api has some kind of 'publishable key' then never send an access token to the client.
The approach in 2 where you proxy it through the server is better.
The advantage with 1. (and pretty much the only one I can think of) is when you have some kind of usage throttling by the API provider which is per ip address (such as twitter's hosepipe).