as for each request a token is needed I am creating a token for each application which wants to access my content (Setting->API Access).
I am using these tokens for a React.JS App, which means I have to store the token somewhere in the app, and if someone understands how to investigate my source code (e.g. via the development tools in Chrome) this token can be taken to access my data even without “my permission”.
Is there any other way to do this as of now? Like for example an OAuth 2.0 mechanism.
perhaps you should better use the access token of different users.
If the user does not have write access to an collection, he also won’t have write access using the api.
So set up an user for any of your apps and restrict their permissions to only read data (or even use public read access for the collections).
The set up one more user who is able to write data.
Then there will be no problem if someone trys to use the api key he is able to see
Yes, this sounds like a possibility. I will then combine it with a whitelist for URLs which can call the API for the specific token and then at least only the intented apps can get to the data.
My requirement is, that also only certain apps can read the data.