Hey Nahuel,
Making requests directly against the Losant API cannot be made by an Experience User’s authentication token. The tokens provided by Experience Users (i.e. logged in via onlosant.com page) are used for identification and authentication when they make requests against Experience Endpoints.
The Losant API provides broad access to an application’s resources, and it not likely a level of access you want to expose to your Experience Users. This is why we introduced the Experience Endpoint system as a layer above the Losant API. Endpoints allow you to handle and validate requests based on your application’s own security requirements.
It is a perfectly acceptable use-case to allow an Experience User to trigger a Virtual Button, however you’ll have to move the button invocation into a Workflow triggered by an Experience Endpoint. So the ajax call will not directly request the Losant API, it will instead request an Experience Endpoint. The Workflow that’s triggered by that endpoint can then use the Losant API Node to do what you’re trying to do directly. This extra layer then gives you an opportunity to make sure the user attempting this action is allowed to do it.