It would be great to know how to protect an endpoint within a custom plugin with Strapi's API tokens. Through a long process of digging through source code, I found that defining the route as an object (instead of an array) with the values
type: "content-api"
seems to work. However there is no documentation on this at all.