Private token should not be made available on the client side

Your private_token is currently available through gon.api_token which:

it’s as though my password is displayed...

--Stan

AFAIK private_tokens should never be available on the client side as they are the same as passwords.

cc @DouweM @rspeicher @stanhu @dzaporozhets