Initial question includes this:
If you open that link in Introduction you can find this:
The goal is to be able to request API endpoints with a query parameter
tokenthat authenticates as a user.eg. /restaurants?token=my-secret-token.
Putting a valid token in url param is a terrible mistake, no matter if that url will be used between APIs or not. Url’s are stored in various places, logs, history, and so on…
I can show you many many security articles about this problem, here is an example:
For the exact same problem Strapi released a bug fix in version 3.2.4.