web application – Does API access token that only have access to public information need to be kept secret?

I found a Instagram Basic Display API access token leaked in a website. This token belongs to a Instagram marketing account of this website. Using my leet investigating skill, below are the information i have.

  • This token has 3 months valid period
  • This token is in use (i see it’s refreshed last week when its valid period is going to end), although i cannot find where it is used
  • This token is an User Access Token for querying data from Basic Display API. Doc here: https://developers.facebook.com/docs/instagram-basic-display-api
  • This access token only has read access to public information 🙁
  • This token will be temporarily rate limited if using too much

Do you know of any impact i can do with this access token other than rate limiting it?

Also, if this token needs to be kept secret, how can we protect it?