Why does oAuth need access tokens?

Platforms have users with a userId, and the external app can also be represented as a user with a userId. Just as users can grant other users access (read, write etc) to their resources, they can do that with apps, too.

So why can’t an external app simply authenticate its requests with the platform, by using its own userId (API key) and HMAC with the app’s own secret (or sign each request with its private key)? The user can manage permissions / scopes of the “oAuth” app by visiting the same control panel they would by granting any other user access.

What advantage does oAuth have by having this access token? The only advantage I see with access tokens or JWTs is that you can skip the I/O request to the authorization server, like using capabilities rather than Access Control Lists. But isn’t this just less secure — and anyway if you have to check access token revocations, you still have to do the same amount of I/O.

Basically I’m asking why can’t oAuth apps simply skip the access tokens since the platform knows what app is requesting what resource anyway?

In authorization_code flow, it is the user that grants a 3rd party access to their information.

The client acts on behalf of the user, not itself.

Imagine you're using a desktop application or web application that directly talks to an API. If the credentials in the desktop application would be valid for every user that has granted access to to client, it would be a major issue.

For example, I use Thunderbird and it uses OAuth2 to authenticate with gmail. Gmail sends back an access token that limits Thunderbird to only access my email and not every other email account that has ever given access.