It would be great to know how to protect an endpoint within a custom plugin with Strapi's API tokens. Through a long process of digging through source code, I found that defining the route as an object (instead of an array) with the values seems to work. However there is no documentation on this at all.