Based on this ,Instagram provide to access GET-based endpoints using JSONP which i know it include access token when making a request. We can load user photo just using client side using JSONP. I interest to using this method because it faster than load photos using server side.
Is it safe to include access token or URL that include access token in client side? if not, how to secure it?
Anything loaded to the client is unsecure and should not be count on to work properly. If someone experienced wants to get something from its content or change something on its way of working, he can no matter what you try. So in that regard no, it is not safe including access tokens.
It then boils down to: how much you care someone getting his hands on it?
They only possible answer to this, which will not work really, just make things harder to an 'attacker', is code obfuscation