refetching on client side?!

hey, I use react query and graphql client in a next app to fetch data from contentful. I wonder if I need to have the token publicly available in order to use react query due to the fact the revalidating of the states is happening on the client side?! Or am I misunderstanding something here? I am just concerned about having the access and previewtoken written in the client bundle?! Any ideas?