Defense in depth: path dependent feed token

When a feed_token is leaked as a URL parameter for a certain feed it grants read access to all other unrelated feeds of that user.

As a defense in depth measure we should create the feed_token per path or even per path/params combination.

The easiest approach might be to have a secret value per user and create the actual feed token for a URL with a HMAC of the requested path under the secret value.