This means that possessing the object containing the reference is enough for getting access.
So in the end it’s then only a tool for keeping the token out of the log of the remote server?
Hmm, but the ID becomes invalid if the token is revoked.
Why not extend the AP Object and Link types with an attribute that indicates the authentication to be used to access the referenced object?
This would keep the ID URI stable.