Web pages are visible to anyone so public access tokens will be visible to anyone. Access tokens, however, can be deleted and rotated at anytime if you suspect any misuse. You may also use secret access tokens for hard-to-rotate applications, like mobile apps, to limit exposure.
You can create as many access tokens as you want. To rotate, create a new access token, replace it in a project, and then remove the old token. Invalidation for uncached requests will happen immediately. Cached requests can take up to an hour.