Perhaps any of you have already solved a similar problem?
So far, I just came up with something like this:
Such flow is not integrated into cockpit - you would need to pack this desired behavior into a plugin.
Alternative suggestion:
The easiest way to solve your problem would be to write some kind of php proxy that handles requests.
You could make use of an (php) router for this (I for example really like this one).
You would then define a simple route like:
$router->get('/c/{collectionName}', function($collection_name) {
echo json_encode(file_get_contents("https://your-server.com/api/collections/${collection_name}?token=..."))
});
now your ajax requests can target /c/<your desired collection here> and will be responded with the cockpit json result without the user is being able to see the token that is hidden behind the “php proxy”
(Of course you do not necessarily need a router library. You could also write this your self checking the $_SERVER[‘REQUEST_URI’] and running code if it matches some defined routes).
Another alternative would be to grant public readability to the collection (without the need of a token)
…
Why do you even want to hide the token? The api access token concept is ment to be used with public api consumers.