That’s been my ongoing complaint.
I would recommend encrypting the token with a key. If you issue requests from the server, never pass that key to the client, if it’s done from the client, try to create a unique encryption key such as the computers machine key, or a fingerprint key of ip + browser + misc items. A client key can never be perfectly secured, but you can make it harder to compromise successfully.