Server-supported tokens via user-credentials
If the end client already implements a user login into your backend servers, it is quite simple to integrate a server-supported token where a different ELSA token with a short time to live (expiration) can be generated to serve an end user only for the duration of their current login session. If that token is compromised, it will only be valid for the duration of the expiration time. You can see this as a session token enabling the end user to use the ELSA API only for a limited amount of time, after which a new ELSA token will need to be fetched.
To implement this use-case you will use the ELSA-Token API described below from your backend server and deliver to your end-user app a token to be used in their calls. This is a much more secure method than directly deploying a non-expiring session token into the client app. This is very similar to an Oauth2 implementation. To read more about this method you can read this article.