The Access Token (access_token parameter in API calls) represents a temporary password of a user in topoos.
Because of this, and as in the case of app credentials, the Access Token should be kept secure and not shown to users or other applications and services external to topoos (you must use Resources Exporting operations in this case). But it may happen that the access token can not always obfuscated code, and that can be caught.
To solve this problem, the access token is temporary and it will expire after a time after it was issued. When this token expires is necessary user interaction to get a new one, or by using a Refresh Token.
Read more about the OAuth autentication flow selection in this link.