This CMS just keeps giving and giving.
Just keep in mind: unless your code runs server-side releasing the token like that into the wild makes /api/cockpit/image a public endpoint.
But it should be fine as you still have to know the images paths to make the API produce the images.
Just make sure you use a custom key for that token with only access to the image-api-endpoint.
Turns out you can also directly use the image path inline.
<img src="/api/cockpit/image?token=xxtokenxx&src=yourImagePath.png&mime=image/webp&o=1">