What is token secret and where to get it?

Token secret is an arbitrary key value encoded in Base32 according to RFC 3548. The padding specified in RFC 3548 section 2.2 is not required and should be omitted.

When setting up 2FA almost all service providers as one of the steps show QR code, which they offer to scan by authenticator application. But they also can show plain token secret as text. Some of them showing this text below the QR code, saying "Use this secret code if you can't scan QR code". Another have special button like "I can't scan QR code", and by hitting this button user gets plain token secret as text.

Details may vary depends on service provider, but in any case there will be an option to get plain token secret as Base32-encoded string. This string could be chunked into a groups of short strings or be just a single long string, it could be upper-cased or lower-cased.

Once you have this string you may use it to add new token into Flipper Authenticator application and then use generated code to finish up 2FA setup on service provider website.

Steam has its own token secret format as well as token format. Flipper Authenticator supports this format as well. You may read more here