The App Access Token is exposed.
Your function LITERALLY returns a the App Access Token to the frontend