API token should not be accessible to everybody with access to the settings page

[MarHerUMR]

Right now, the API token is saved an display with an input field of type text. This means every account with access to the settings page has access to the API token. With the token every admin is able to access the API in the name of the account that created the API token.

When you have only one admin or the api token can access just one siteId there is no problem.

But when the token can access multiple siteId s, other admin accounts can gain access to data they should not have access to.