@gruvin is 100% correct. You cannot secure any data that makes it to the browser.
Ie. You don’t put the goods on somebody else’s computer and hope to keep it safe.
If you plan to have your app be completely in javascript, then plan on this security limitation.
The only secure way with the current spark features is to have all the data calls go through the server.
The next best thing is to at least not have it sitting in your source. Put a password protect on the page that will then query the server for the token. From that point forward it’s in the browser again and not secure, but at least you trust the person with the password.
On my site, if you’re not logged in, I force you to enter the token in a form.
Hopefully the spark team addresses this with read only tokens at least. I can live with somebody reading the temperature on my device. I just don’t need them having the keys my spark kingdom.