The question is quite old but still relevant and technology has changed. I am using WASM Web Tokens to secure my unauthenticated API. These are tokens generated in the browser using Webassembly and have shared secrets for the backend api to decrypt and verify. Webassembly being byte code is far harder to read than javascript