What rights does the secret token have? Or, put differently, what risk exists when it is leaked?
APM supports secret tokens.
I specify one in the server config (apm-server.auth.secret_token), then in the agent (e.g . elastic_apm.secret_token for the PHP agent).
Although - at least - the PHP agent masquerades it:
root@http-tst01:/etc/php# php -i | grep elastic_apm.secret_token
elastic_apm.secret_token => *** => *** => ***
elastic_apm.secret_token => *** => ***
... the documentation does not clarify what rights it actually has. Is it push-only? Can it read data? Is it scoped? Etc.