I agree to not trust client side tokens. Maybe I have also described it in a wrong way.
Right now, with the current configuration, no token at all is needed to access the api.
What I want to protect the API Endpoint with a token generated by Strapi and without the user logging in.