There are security risks for embedding an access token in things, but you need an access token in order to access the private SSE stream for an account.
However the expiration is not an issue because if you generate an access token, you can set expires_in to 0 so it will never expire.
https://docs.particle.io/reference/api/#generate-an-access-token
If you can keep the access token in your server code, using a non-expiring token is a good solution.
Unfortunately there’s no fine-grained access control, so you can’t make an access token only for the SSE stream. Once you have an access token it either has access to everything, or only has access to create claim codes. This makes it difficult to use from client-side code safely.