I want to hide any tokens from the client. How to do it?

Perhaps any of you have already solved a similar problem?

So far, I just came up with something like this:

  • during authorization, user sends a random string to the server
  • after refreshing the page, client sends a request with this random string and receives a token in response
  • client uses this token for api requests.

Such flow is not integrated into cockpit - you would need to pack this desired behavior into a plugin.

Alternative suggestion:
The easiest way to solve your problem would be to write some kind of php proxy that handles requests.
You could make use of an (php) router for this (I for example really like this one).
You would then define a simple route like:

$router->get('/c/{collectionName}', function($collection_name) {
    echo json_encode(file_get_contents("https://your-server.com/api/collections/${collection_name}?token=..."))

now your ajax requests can target /c/<your desired collection here> and will be responded with the cockpit json result without the user is being able to see the token that is hidden behind the “php proxy”

(Of course you do not necessarily need a router library. You could also write this your self checking the $_SERVER[‘REQUEST_URI’] and running code if it matches some defined routes).

Another alternative would be to grant public readability to the collection (without the need of a token)

Why do you even want to hide the token? The api access token concept is ment to be used with public api consumers.