I have implemented token based authentication using django rest framework.
But tokens are visible in HTTP requests header when seen using browser's developers tools. And I'm able to fetch private data from API with help of Postman using this token. Thus I feel this is not a secure way for authentication. My questions is that are tokens visible in HTTP request header for every token based authentication. If no, please tell me which one should I use.
The tokens are specific to this login session of the user. If the user is logged in and the attacker has physical access to the device, he can still access all the needed data via your interface. So encrypting the token will serve no purpose as it is still sent as a string to the backend. Its similar to sending a hash of the password rather than the password itself, the hash becomes the new password. The best you can do is invalidate tokens if there is no activity for a set period of time like 5 minutes (used by banks/wallets). The other is user agent based denial for Postman queries. Or the most paranoid, you can map device fingerprints (https://github.com/Valve/fingerprintjs) to tokens (during login) and then prevent any other device from accessing the same token. Hope this helps as is not too late.