Hydrogen, Headless, and Storefront APIs

Hi! I have created a simple feedback app that is not public. How to properly authenticate? in my JS code, the token is passed openly. It's unsafe, isn't it?

var requestOptions = {
  method: 'POST',
  headers: {
    'X-Shopify-Access-Token': accessToken,
    'Content-Type': 'application/json'
  },
  body: ConstructJs,
  redirect: 'follow'
};

the JS file from which requests are made is located in the Shopify files, that is, along with the site.