I've been trying to use Instagram's API to extract tagged photos to show on a website, but have had trouble generating an access token (not part of this question).
I see that there are many JavaScript scripts for showing Instagram feeds and usually they require you to add your access token in script.
So I just found a random website using one of these scripts and borrowed their access token (just for testing).
So my questions are, what is the point of going to the trouble of generating an access token if it just gets made public anyway? Could someone do something malicious with my access token? Will it affect rate limits? Basically, should they be kept private?
Best Answer
Yes, API tokens should be kept private. Think of them as a replacement for your username and password. It's another way of authenticating who you are and what type of access you should have.
As for what can be done with any particular API token, this varies from service to service. Some services allow you to create API tokens with limited access, some only have one level of access.
Some sites provide API tokens with limited or public access with the idea being you can use these to experiment with and learn your way around their API. These usually only have 'read' but no 'write' access.