Rails gem devise_token_auth headers in web console are enoguh to access api, why?

Question

I am learning how to implement security in my rails 5 API. I'm developing an angular app to consume the API, to do this I'm implementing devise_token_auth gem, but in my test in postman I can sign up with email and password, then I receive a response with token (with expiry), data, content-type, client, uid, then I test this from angular and signup from my browser and in the web console I can see all the information that is necesary to access the api from another application.

The devise method authenticate_user need the parameters: content-type, access-token,client, expiry, uid, but everybody could access this information if they take a look at the response in web console, so then... I pick this information and paste in a Postman request and I can access my protected endpoint, so how would this gem be useful? Am I missing something?

Here I sign-in from angular, and check response in web console:

Then paste the info in a new request in postman to access protected endpoint:

And the access is successful, how do I prevent the header information from being displayed on the web console?

Answer 1

But everybody could access to this information if they take a look at the response in web console

Am I missing something?

Yes. "Everybody" would only be able to see their own token (excluding things like sniffing http. You will be using TLS, right?). With their token, users can do what they please and there's little you can do about it.

But they can't see other users' tokens this way.